Gender and Tech Resources - User contributions [en]

Analizar datos de twitter con R

2018-07-26T16:34:51Z

Anamhoo:

R <ref>https://www.r-project.org/</ref> es una herramienta poderosa para crear una gran diversidad de análisis, en este "How to" la usaremos para hacer una análisis de datos de Twitter <ref>https://www.twitter.com/</ref>.

== Requisitos ==
Tener Instalado el paquete R y la librería:

rtweet

Contar una cuenta en la appi de twitter <ref>https://apps.twitter.com/</ref>.

==Pasos==

El primer paso es dar de alta como una variable nuestra datos de acceso en la appi de twitter.

> Token <- create_token(
app = "usuaria",
consumer_key = "tus datos",
consumer_secret = "tus datos",
access_token = "tus datos",
access_secret = "tus datos"
)

Todos estos datos se encuentran cuando accedes a tu cuenta en <ref>https://apps.twitter.com/</ref>

En caso que el programa señale algún error sólo corrobora los datos que has dado de alta.

Ahora puedes elegir una cuenta sobre la cual quieres información y puedes:

Colectar su línea de tiempo

> get_timeline

Buscar los tweets de los últimos 9 días

> search_tweets

Ver sos seguidores

> get_followers

Conocer sus amigos:

> get_friends

Puedes ver la lista completa de en [https://cran.r-project.org/web/packages/rtweet/rtweet.pdf rtweet]

==Un ejemplo==

Vamos a hacer un análisis de la cuenta "AbortoLegalCL".
Desde la terminal vamos a ingresar al programa R

$ R

Una vez que ingresamos vamos a cargar la librería rtweet (que debe estar previamente instalada).

> require(rtweet)

Ahora daremos de alta como variable nuestro token:

> Token <- create_token(
app = "Anamhoo",
consumer_key = "___",
consumer_secret = "___",
access_token = "___",
access_secret = "___"
)

[[File:R_rtweet.png|400px|center|alt=Llamando a R]]

Ahora podemos iniciar la búsqueda de datos:

> ABLCL_timeline <- get_timeline("AbortoLegalCL", n = 4000, include_rts = TRUE)

> ABLCL_search <- search_tweets(
+ "AbortoLegalCL", n = 18000, include_rts = TRUE
+ )

> ABLCL_followers <-get_followers("AbortoLegalCL", n = 10000)

> ABLCL_friends <-get_friends("AbortoLegalCL", n = 10000)

> write_as_csv(ABLCL_timeline, "~/ABLCL_timeline.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_search, "/~/ABLCL_search.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_followers, "~/ABLCL_followers.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_friends, "~/ABLCL_friends.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

Con esta información tu puedes ahora hacer una análisis con programas como [https://gephi.org/ Gephi].

En nuestro ejemplo una cosa que nos llamó la atención es que uno de los primeros tweets hechos por éste usuario/a hacía un llamado a seguir a otras cuentas:

Apoyen la red latinoamericana pro aborto. #SeVaACaer
Sigan estas cuentas en Twitter:
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)

Con esta información repetimos el ejercicio para @abortolegalperu y @AbortoLegalMX.

Para el caso de @AbortoLegalMX encontramos un llamado a usar una serie de hashtag que conectan hacia las mismas cuentas:

PORQUE NUESTRO DERECHO ES ESCOGER! // ARTISTA: @styIinsonpure
#AbortoLegalArgentina
#AborteLegalMexico
#AbortoLegalColombia
#AbortoLegalPeru
#AbortoLegalChile

Y en el caso de @abortolegalperu hay un comportamiento semejante

Sigan a estas cuentas de los países que se están movilizando para que el aborto sea ley.
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)
Y de paso den RT para difundir

Ahora a partir de los tweets colectados hicimos un análisis de texto (ver How to "Hacer un análisis de texto")
Aquí los resultados:

[[File:Chile.png|400px|center|alt=Nube de palabras @AbortoLegalCL]]

[[File:ABLPu.png|400px|center|alt=Nube de palabras @abortolegalperu]]

[[File:ABLMx.png|400px|center|alt=Nube de palabras @AbortoLegalMX]]

==Links==

[[Category:How_To]]

File:R rtweet.png

2018-07-26T16:33:28Z

Anamhoo:

Analizar datos de twitter con R

2018-07-26T16:31:18Z

Anamhoo:

R <ref>https://www.r-project.org/</ref> es una herramienta poderosa para crear una gran diversidad de análisis, en este "How to" la usaremos para hacer una análisis de datos de Twitter <ref>https://www.twitter.com/</ref>.

== Requisitos ==
Tener Instalado el paquete R y la librería:

rtweet

Contar una cuenta en la appi de twitter <ref>https://apps.twitter.com/</ref>.

==Pasos==

El primer paso es dar de alta como una variable nuestra datos de acceso en la appi de twitter.

> Token <- create_token(
app = "usuaria",
consumer_key = "tus datos",
consumer_secret = "tus datos",
access_token = "tus datos",
access_secret = "tus datos"
)

Todos estos datos se encuentran cuando accedes a tu cuenta en <ref>https://apps.twitter.com/</ref>

En caso que el programa señale algún error sólo corrobora los datos que has dado de alta.

Ahora puedes elegir una cuenta sobre la cual quieres información y puedes:

Colectar su línea de tiempo

> get_timeline

Buscar los tweets de los últimos 9 días

> search_tweets

Ver sos seguidores

> get_followers

Conocer sus amigos:

> get_friends

Puedes ver la lista completa de en [https://cran.r-project.org/web/packages/rtweet/rtweet.pdf rtweet]

==Un ejemplo==

Vamos a hacer un análisis de la cuenta "AbortoLegalCL".
Desde la terminal vamos a ingresar al programa R

$ R

Una vez que ingresamos vamos a cargar la librería rtweet (que debe estar previamente instalada).

> require(rtweet)

Ahora daremos de alta como variable nuestro token:

> Token <- create_token(
app = "Anamhoo",
consumer_key = "___",
consumer_secret = "___",
access_token = "___",
access_secret = "___"
)

Ahora podemos iniciar la búsqueda de datos:

> ABLCL_timeline <- get_timeline("AbortoLegalCL", n = 4000, include_rts = TRUE)

> ABLCL_search <- search_tweets(
+ "AbortoLegalCL", n = 18000, include_rts = TRUE
+ )

> ABLCL_followers <-get_followers("AbortoLegalCL", n = 10000)

> ABLCL_friends <-get_friends("AbortoLegalCL", n = 10000)

> write_as_csv(ABLCL_timeline, "~/ABLCL_timeline.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_search, "/~/ABLCL_search.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_followers, "~/ABLCL_followers.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_friends, "~/ABLCL_friends.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

Con esta información tu puedes ahora hacer una análisis con programas como [https://gephi.org/ Gephi].

En nuestro ejemplo una cosa que nos llamó la atención es que uno de los primeros tweets hechos por éste usuario/a hacía un llamado a seguir a otras cuentas:

Apoyen la red latinoamericana pro aborto. #SeVaACaer
Sigan estas cuentas en Twitter:
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)

Con esta información repetimos el ejercicio para @abortolegalperu y @AbortoLegalMX.

Para el caso de @AbortoLegalMX encontramos un llamado a usar una serie de hashtag que conectan hacia las mismas cuentas:

PORQUE NUESTRO DERECHO ES ESCOGER! // ARTISTA: @styIinsonpure
#AbortoLegalArgentina
#AborteLegalMexico
#AbortoLegalColombia
#AbortoLegalPeru
#AbortoLegalChile

Y en el caso de @abortolegalperu hay un comportamiento semejante

Sigan a estas cuentas de los países que se están movilizando para que el aborto sea ley.
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)
Y de paso den RT para difundir

Ahora a partir de los tweets colectados hicimos un análisis de texto (ver How to "Hacer un análisis de texto")
Aquí los resultados:

[[File:Chile.png|400px|center|alt=Nube de palabras @AbortoLegalCL]]

[[File:ABLPu.png|400px|center|alt=Nube de palabras @abortolegalperu]]

[[File:ABLMx.png|400px|center|alt=Nube de palabras @AbortoLegalMX]]

[[Category:How_To]]

File:ABLMx.png

2018-07-26T16:30:43Z

Anamhoo:

File:ABLPu.png

2018-07-26T16:29:29Z

Anamhoo:

File:Chile.png

2018-07-26T16:27:25Z

Anamhoo:

Analizar datos de twitter con R

2018-07-26T16:23:39Z

Anamhoo:

R <ref>https://www.r-project.org/</ref> es una herramienta poderosa para crear una gran diversidad de análisis, en este "How to" la usaremos para hacer una análisis de datos de Twitter <ref>https://www.twitter.com/</ref>.

== Requisitos ==
Tener Instalado el paquete R y la librería:

rtweet

Contar una cuenta en la appi de twitter <ref>https://apps.twitter.com/</ref>.

==Pasos==

El primer paso es dar de alta como una variable nuestra datos de acceso en la appi de twitter.

> Token <- create_token(
app = "usuaria",
consumer_key = "tus datos",
consumer_secret = "tus datos",
access_token = "tus datos",
access_secret = "tus datos"
)

Todos estos datos se encuentran cuando accedes a tu cuenta en <ref>https://apps.twitter.com/</ref>

En caso que el programa señale algún error sólo corrobora los datos que has dado de alta.

Ahora puedes elegir una cuenta sobre la cual quieres información y puedes:

Colectar su línea de tiempo

> get_timeline

Buscar los tweets de los últimos 9 días

> search_tweets

Ver sos seguidores

> get_followers

Conocer sus amigos:

> get_friends

Puedes ver la lista completa de en [https://cran.r-project.org/web/packages/rtweet/rtweet.pdf rtweet]

==Un ejemplo==

Vamos a hacer un análisis de la cuenta "AbortoLegalCL".
Desde la terminal vamos a ingresar al programa R

$ R

Una vez que ingresamos vamos a cargar la librería rtweet (que debe estar previamente instalada).

> require(rtweet)

Ahora daremos de alta como variable nuestro token:

> Token <- create_token(
app = "Anamhoo",
consumer_key = "___",
consumer_secret = "___",
access_token = "___",
access_secret = "___"
)

Ahora podemos iniciar la búsqueda de datos:

> ABLCL_timeline <- get_timeline("AbortoLegalCL", n = 4000, include_rts = TRUE)

> ABLCL_search <- search_tweets(
+ "AbortoLegalCL", n = 18000, include_rts = TRUE
+ )

> ABLCL_followers <-get_followers("AbortoLegalCL", n = 10000)

> ABLCL_friends <-get_friends("AbortoLegalCL", n = 10000)

> write_as_csv(ABLCL_timeline, "~/ABLCL_timeline.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_search, "/~/ABLCL_search.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_followers, "~/ABLCL_followers.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

> write_as_csv(ABLCL_friends, "~/ABLCL_friends.csv", prepend_ids = TRUE, na = "", fileEncoding = "UTF-8")

Con esta información tu puedes ahora hacer una análisis con programas como [https://gephi.org/ Gephi].

En nuestro ejemplo una cosa que nos llamó la atención es que uno de los primeros tweets hechos por éste usuario/a hacía un llamado a seguir a otras cuentas:

Apoyen la red latinoamericana pro aborto. #SeVaACaer
Sigan estas cuentas en Twitter:
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)

Con esta información repetimos el ejercicio para @abortolegalperu y @AbortoLegalMX.

Para el caso de @AbortoLegalMX encontramos un llamado a usar una serie de hashtag que conectan hacia las mismas cuentas:

PORQUE NUESTRO DERECHO ES ESCOGER! // ARTISTA: @styIinsonpure
#AbortoLegalArgentina
#AborteLegalMexico
#AbortoLegalColombia
#AbortoLegalPeru
#AbortoLegalChile

Y en el caso de @abortolegalperu hay un comportamiento semejante

Sigan a estas cuentas de los países que se están movilizando para que el aborto sea ley.
@AbortoLegalMX (México)
@ProAbortoCol (Colombia)
@abortolegalperu (Perú)
@AbortoLegalCL (Chile)
@CampaaAbortoLeg (Argentina)
Y de paso den RT para difundir

Ahora a partir de los tweets colectados hicimos un análisis de texto (ver How to "Hacer un análisis de texto")
Aquí los resultados:

[[Category:How_To]]

Analizar datos de twitter con R

2018-07-26T15:58:12Z

Anamhoo:

Analizar datos de twitter con R

2018-07-26T15:44:28Z

Anamhoo:

Analizar datos de twitter con R

2018-07-26T15:42:40Z

Anamhoo: Created page with " R <ref>https://www.r-project.org/</ref> es una herramienta poderosa para crear una gran diversidad de análisis, en este "How to" la usaremos para hacer una análisis de dato..."

Seguridad digial para defensores de derechos humanos en contextos mineros

2018-07-21T16:32:53Z

Anamhoo:

{{Activities
|Title of the activity=Training with Derechos Humanos sin Fronteras
|Category=Digital Security
|Start when ?=2018/05/22
|End when ?=2018/05/22
|Number of hours if only one day ?=9
|Where is located the activity ?=Regional
|Geo-localization of the activity ?=-12.548845587274, -74.00390625
|Who organize it=Training with Derechos Humanos sin Fronteras, CEDEP AYLLU,
|organisation(s) website=https://es-la.facebook.com/derechossinfronteras.pe/
|For whom is it organized=Human right defenders
|How many people trained=12
|Motivations for organizing training=DHSF is an organization that works on territorial conflicts related to extractive industries. During the training the organization shared about several physical security incidents it has had in the past and their suspicion of having their phones intecepted.
|Topics addressed=digital security, mobil, encrypt
}}
{{Planning and documentation
|Detailed schedule and contents=The training was divided in three parts. During the first part we worked on the general aspects of privacy and digital security in the Latin-American context. In the second part we worked on threats for cellphones. During the third part we worked on secure communication through e-mail and encryption of folders to protect sensitive information.
During the training all participants configured a Wire account, analyzed the security of their cellphone devices, create a secure mail account in a secure server and use veracrypt to encrypt their folders.
|Methodologies for training=Popular education,
|Existing toolkits and resources=https://gendersec.tacticaltech.org (Mobil topics)
From the training part of My shadow [https://myshadow.org/train]the following material was:
How Mobile Communication Works
How the Internet works
Mobile Communication
Mobile Phone Settings (Hands-on)

Additionally we used the following websites.
https://trackography.org/
|Gender and tech tutorials used=myshadow.org,
}}
{{Learning outcomes
|Feelings=The presence of the directives of the organization was important since we reached several agreements on the implementation of digital security tools that we worked on during the training.
|Feedbacks=the participants commented that the workshop was useful and the methodology was adequate
}}

Seguridad digital para la defensa personal feminista

2018-07-21T16:28:05Z

Anamhoo:

{{Activities
|Title of the activity=Seguridad digital para la defensa personal feminista
|Category=Digital Security, Gender and Tech
|Start when ?=2018/07/21
|End when ?=2018/07/21
|Number of hours if only one day ?=4
|Where is located the activity ?=Country
|Geo-localization of the activity ?=4.8413958963329, -74.0478515625
|Who organize it=Escuela de defensa personal para mujeres

Escuela de kickboxing Rosa Elvira Cely

Las BJJ sisters

Fuente popular feminista de Suba
|organisation(s) website=https://www.facebook.com/Crisalidas666

https://www.facebook.com/laescueladp/

https://www.facebook.com/Escuela-De-Kick-Bosxing

https://www.facebook.com/bjjsisters

https://www.facebook.com/las.Policarpas
|For whom is it organized=Feministas que practican la defensa personal feminista
|How many people trained=30
|Motivations for organizing training=Como parte del encuentro de defensa personal feminista se planteó desarrollar la actividad que nos permita introducir la seguridad digital como un elemnto más que forme parte del autocuidado desde una visión feminista.
|Topics addressed=seguridad digital, defensa personal, vulnerabilidades, estrategias
|Upload content=Colombia.pdf
}}
{{Planning and documentation
|Detailed schedule and contents=Dialogar la seguridad digital como parte de la defensa personal feminista.
1) Juego de presentación yo me nombro con un movimiento 2) Qué herramientas usamos para nuestras acciones (trabajo en grupos) 3) Vulnerabilidades de nuestras acciones usando tecnología (input de la facilitadora) 4) Cómo introducimos la seguridad digital dentro de la defensa personal feminista
|Methodologies for training=Se usan técnicas de educación popular para generar un diálogo y pensar juntas el discurso de la seguridad digital, las vulnerabilidades al usar la tecnología e integrarlo en el contexto de la defensa personal feminista
}}
{{Learning outcomes
|Feelings=A las compañeras les tomó sentido la necesidad de cuida huella digital y anonimizar. Además que surgió la discusión sobre el género y la tecnología.
}}

Seguridad digital para la defensa personal feminista

2018-07-21T16:27:31Z

Anamhoo:

{{Activities
|Title of the activity=Seguridad digital para la defensa personal feminista
|Category=Digital Security, Gender and Tech
|Start when ?=2018/07/21
|End when ?=2018/07/21
|Number of hours if only one day ?=4 horas
|Where is located the activity ?=Country
|Geo-localization of the activity ?=4.841395896332888, -74.0478515625
|Who organize it=Escuela de defensa personal para mujeres

Escuela de kickboxing Rosa Elvira Cely

Las BJJ sisters

Fuente popular feminista de Suba
|organisation(s) website=https://www.facebook.com/Crisalidas666

https://www.facebook.com/laescueladp/

https://www.facebook.com/Escuela-De-Kick-Bosxing

https://www.facebook.com/bjjsisters

https://www.facebook.com/las.Policarpas
|For whom is it organized=Feministas que practican la defensa personal feminista
|How many people trained=30
|Motivations for organizing training=Como parte del encuentro de defensa personal feminista se planteó desarrollar la actividad que nos permita introducir la seguridad digital como un elemnto más que forme parte del autocuidado desde una visión feminista.
|Topics addressed=seguridad digital, defensa personal, vulnerabilidades, estrategias
|Upload content=Colombia.pdf
}}
{{Planning and documentation
|Detailed schedule and contents=Dialogar la seguridad digital como parte de la defensa personal feminista.
1) Juego de presentación yo me nombro con un movimiento 2) Qué herramientas usamos para nuestras acciones (trabajo en grupos) 3) Vulnerabilidades de nuestras acciones usando tecnología (input de la facilitadora) 4) Cómo introducimos la seguridad digital dentro de la defensa personal feminista
|Methodologies for training=Se usan técnicas de educación popular para generar un diálogo y pensar juntas el discurso de la seguridad digital, las vulnerabilidades al usar la tecnología e integrarlo en el contexto de la defensa personal feminista
}}
{{Learning outcomes
|Feelings=A las compañeras les tomó sentido la necesidad de cuida huella digital y anonimizar. Además que surgió la discusión sobre el género y la tecnología.
}}

File:Colombia.pdf

2018-07-21T16:25:35Z

Anamhoo:

Seguridad digital para grupos por el derecho a decidir

2018-07-17T00:30:15Z

Anamhoo: Created page with "{{Activities |Title of the activity=Seguridad digital para grupos por el derecho a decidir |Category=Digital Security, Gender and Tech |Start when ?=2018/06/25 |End when ?=201..."

{{Activities
|Title of the activity=Seguridad digital para grupos por el derecho a decidir
|Category=Digital Security, Gender and Tech
|Start when ?=2018/06/25
|End when ?=2018/06/30
|Number of hours if only one day ?=28
|Where is located the activity ?=Nivel nacional
|Geo-localization of the activity ?=-1.4031807433302141, -78.134765625
|Who organize it=Comadres
|For whom is it organized=Grupos por el derecho a decidir
|How many people trained=25
|Motivations for organizing training=En América Latina los grupos que trabajan en torno al derecho a decidir por el contexto regional están expuesto a ataques por grupos antiderechos que frecuentemente se llevan acabo en medios digitales, como ataques ddos a sus sitios web, o amenazas en sus redes sociales.
|Topics addressed=seguridad digital, autodefensa, privacidad
}}
{{Planning and documentation
|Detailed schedule and contents=La actividad inición con un proceso de diálogo sobre el contexto que se vive en relación al activismo que se practica, algunos de los ataques detectados y necesidades.
En base a las necesidades se configuraron algunas acciones inmediatas para poder mitigar riesgos.
|Methodologies for training=ADIDS
|Existing toolkits and resources=https://tacticaltech.org/media/projects/CuerposMujeres.pdf
https://gendersec.tacticaltech.org
|Gender and tech tutorials used=myshadow.org,
}}
{{Learning outcomes}}

Seguridad digial para defensores de derechos humanos en contextos mineros 3

2018-07-17T00:10:47Z

Anamhoo: Created page with "{{Activities |Title of the activity=Participation in the Program to strengthen and train on secure communication within the mining corredor |Category=Digital Security |Start w..."

{{Activities
|Title of the activity=Participation in the Program to strengthen and train on secure communication within the mining corredor
|Category=Digital Security
|Start when ?=2018/05/24
|End when ?=2018/05/25
|Number of hours if only one day ?=18
|Where is located the activity ?=Regional
|Geo-localization of the activity ?=-12.865359661408899, -74.70703125
|Who organize it=Cooperaccion
|For whom is it organized=popular communicators
|How many people trained=14
|Motivations for organizing training=This training was realized within the context of a program which contained a training aimed at strengthening "digital communication and social networks". The organization that facilitated the participation was Cooperacción, an NGO that develops two progamms: the program for collective rights and extractive industries and the program for costal development.
|Topics addressed=digital security tools for communicators
}}
{{Planning and documentation
|Detailed schedule and contents=Considering the activities planned for the training it was possible to introduce relevant topics related to privacy, exposing data and protecting sensitive information when using social networks, e-mail and cloud services.

It was also possible to show alternative tools like e-mails with ethical servers, websites to share documents through ethical servers, wire for cellphones with its desktop version, general security configuration for cellphones and Osmand was used for cartographic use.
|Methodologies for training=ADIDS
|Existing toolkits and resources=From the training part of My shadow [https://myshadow.org/train]the following material was:
How Mobile Communication Works
How the Internet works
Mobile Communication
Mobile Phone Settings (Hands-on)
Additionally we used the following websites.
https://trackography.org/
https://gendersec.tacticaltech.org/wiki/index.php/Main_Page
|Gender and tech tutorials used=myshadow.org,
}}
{{Learning outcomes}}

Seguridad digial para defensores de derechos humanos en contextos mineros 2

2018-07-16T23:59:09Z

Anamhoo: Created page with "{{Activities |Title of the activity=Conversation on digital security with CEDEP AYLLU |Category=Digital Security |Start when ?=2018/05/23 |End when ?=2018/05/23 |Where is loca..."

{{Activities
|Title of the activity=Conversation on digital security with CEDEP AYLLU
|Category=Digital Security
|Start when ?=2018/05/23
|End when ?=2018/05/23
|Where is located the activity ?=Regional
|Geo-localization of the activity ?=-11.835094475418835, -75.76171875
|Who organize it=CEDEP AYLLU
|For whom is it organized=Human right defenders
|How many people trained=5
|Motivations for organizing training=CEDEP AYLLU is an organization that works on sustainable development with communities.
|Topics addressed=digital security
}}
{{Planning and documentation
|Detailed schedule and contents=The conversation started with an exposition about our data and the Internet, analyzing the infrastructure of the Internet and examples of ho companies use information of their users, as well as the techno-political context. During the conversation we talked on the importance of starting a digital security process within the organization that includes a critical vision of the necessities and adopted on the conditions in which the organization works.
|Methodologies for training=Exposition
|Existing toolkits and resources=https://trackography.org/
https://gendersec.tacticaltech.org/wiki/index.php/Main_Page
|Gender and tech tutorials used=myshadow.org,
}}
{{Learning outcomes}}

Seguridad digial para defensores de derechos humanos en contextos mineros

2018-07-16T20:42:18Z

Anamhoo:

{{Activities
|Title of the activity=Training with Derechos Humanos sin Fronteras
|Category=Digital Security
|Start when ?=2018/07/16
|End when ?=2018/07/16
|Number of hours if only one day ?=9
|Where is located the activity ?=Regional
|Geo-localization of the activity ?=-12.548845587274496, -74.00390625
|Who organize it=Training with Derechos Humanos sin Fronteras, CEDEP AYLLU,
|organisation(s) website=https://es-la.facebook.com/derechossinfronteras.pe/
|For whom is it organized=Human right defenders
|How many people trained=12
|Motivations for organizing training=DHSF is an organization that works on territorial conflicts related to extractive industries. During the training the organization shared about several physical security incidents it has had in the past and their suspicion of having their phones intecepted.
|Topics addressed=digital security, mobil, encrypt
}}
{{Planning and documentation
|Detailed schedule and contents=The training was divided in three parts. During the first part we worked on the general aspects of privacy and digital security in the Latin-American context. In the second part we worked on threats for cellphones. During the third part we worked on secure communication through e-mail and encryption of folders to protect sensitive information.
During the training all participants configured a Wire account, analyzed the security of their cellphone devices, create a secure mail account in a secure server and use veracrypt to encrypt their folders.
|Methodologies for training=Popular education,
|Existing toolkits and resources=https://gendersec.tacticaltech.org (Mobil topics)
From the training part of My shadow [https://myshadow.org/train]the following material was:
How Mobile Communication Works
How the Internet works
Mobile Communication
Mobile Phone Settings (Hands-on)

Additionally we used the following websites.
https://trackography.org/
|Gender and tech tutorials used=myshadow.org,
}}
{{Learning outcomes
|Feelings=The presence of the directives of the organization was important since we reached several agreements on the implementation of digital security tools that we worked on during the training.
|Feedbacks=the participants commented that the workshop was useful and the methodology was adequate
}}

Seguridad digial para defensores de derechos humanos en contextos mineros

2018-07-16T20:37:42Z

Anamhoo: Created page with "{{Activities |Title of the activity=Training with Derechos Humanos sin Fronteras |Start when ?=2018/07/16 |End when ?=2018/07/16 |Number of hours if only one day ?=9 |Who orga..."

{{Activities
|Title of the activity=Training with Derechos Humanos sin Fronteras
|Start when ?=2018/07/16
|End when ?=2018/07/16
|Number of hours if only one day ?=9
|Who organize it=Training with Derechos Humanos sin Fronteras, CEDEP AYLLU,
|organisation(s) website=https://es-la.facebook.com/derechossinfronteras.pe/
|For whom is it organized=Human right defenders
|How many people trained=12
|Motivations for organizing training=DHSF is an organization that works on territorial conflicts related to extractive industries. During the training the organization shared about several physical security incidents it has had in the past and their suspicion of having their phones intecepted.
|Topics addressed=digital security, movil, encrypt
}}
{{Planning and documentation
|Detailed schedule and contents=The training was divided in three parts. During the first part we worked on the general aspects of privacy and digital security in the Latin-American context. In the second part we worked on threats for cellphones. During the third part we worked on secure communication through e-mail and encryption of folders to protect sensitive information.
During the training all participants configured a Wire account, analyzed the security of their cellphone devices, create a secure mail account in a secure server and use veracrypt to encrypt their folders.
|Methodologies for training=Popular education,
}}
{{Learning outcomes}}

Seguridad digital para la defensa personal feminista

2018-07-13T15:23:22Z

Anamhoo: Created page with "{{Activities |Title of the activity=Seguridad digital para la defensa personal feminista |Start when ?=2018/07/13 |End when ?=2018/07/13 |Number of hours if only one day ?=4 h..."

{{Activities
|Title of the activity=Seguridad digital para la defensa personal feminista
|Start when ?=2018/07/13
|End when ?=2018/07/13
|Number of hours if only one day ?=4 horas
|Who organize it=Escuela de defensa personal para mujeres

Escuela de kickboxing Rosa Elvira Cely

Las BJJ sisters

Fuente popular feminista de Suba
|organisation(s) website=https://www.facebook.com/Crisalidas666

https://www.facebook.com/laescueladp/

https://www.facebook.com/Escuela-De-Kick-Bosxing

https://www.facebook.com/bjjsisters

https://www.facebook.com/las.Policarpas
|For whom is it organized=Feministas que practican la defensa personal feminista
|How many people trained=30
|Motivations for organizing training=Como parte del encuentro de defensa personal feminista se planteó desarrollar la actividad que nos permita introducir la seguridad digital como un elemnto más que forme parte del autocuidado desde una visión feminista.
|Topics addressed=seguridad digital, defensa personal, vulnerabilidades, estrategias
}}
{{Planning and documentation
|Detailed schedule and contents=Dialogar la seguridad digital como parte de la defensa personal feminista.
1) Juego de presentación yo me nombro con un movimiento 2) Qué herramientas usamos para nuestras acciones (trabajo en grupos) 3) Vulnerabilidades de nuestras acciones usando tecnología (input de la facilitadora) 4) Cómo introducimos la seguridad digital dentro de la defensa personal feminista
|Methodologies for training=Se usan técnicas de educación popular para generar un diálogo y pensar juntas el discurso de la seguridad digital, las vulnerabilidades al usar la tecnología e integrarlo en el contexto de la defensa personal feminista
}}
{{Learning outcomes}}

Seguridad digital en campañas feministas

2018-07-13T15:17:09Z

Anamhoo: Created page with "{{Tutorial |Title of the tutorial=Seguridad digital para la defensa personal feminista |Duration (hours)=2-4 horas |Learning objectives=Dialogar la seguridad digital como part..."

{{Tutorial
|Title of the tutorial=Seguridad digital para la defensa personal feminista
|Duration (hours)=2-4 horas
|Learning objectives=Dialogar la seguridad digital como parte de la defensa personal feminista.
1) Juego de presentación yo me nombro con un movimiento
2) Qué herramientas usamos para nuestras acciones (trabajo en grupos)
3) Vulnerabilidades de nuestras acciones usando tecnología (input de la facilitadora)
4) Cómo introducimos la seguridad digital dentro de la defensa personal feminista
|Prerequisites=Ninguno
|Methodology=A partir de la educación popular se planteará una discusión sobre lo que implica pensar desde la defensa personal feminista la seguridad digital y su integración
|Number of facilitators involved=2 (preferentemente)
|Technical needs=Un proyecto
Teléfonos personales de las asistentes
Computadoras portátiles de las asistentes si las tienen
|Theoretical and on line resources=https://gendersec.tacticaltech.org
}}

Cifrar archivos con miniLock

2018-01-10T22:39:03Z

Anamhoo:

== ¿Qué es miniLock?==

[https://minilock.io MiniLock] es una aplicación que te permite cifrar<ref>Si quieres saber más sobre cifrado puedes ir a [https://gendersec.tacticaltech.org/wiki/index.php/Encrypting_everything Encrypting everything]</ref> archivos de forma sencilla. Su funcionamiento se basa en la generación de un identificador (ID) a partir de un correo electrónico, éste ID puede ser compartido para que cualquier persona que tenga miniLock pueda cifrar un archvio para ti. Su filosofía principal consiste en la simplilcidad, tratar de mantener el tamaño de los archivos y ser auditados. Para ello utiliza la librería de cifrado [http://tweetnacl.cr.yp.to/software.html TweeNaCl] transportado a [https://github.com/dchest/tweetnacl-js JavaScript]. La auditoría fue hecha por [https://cure53.de/ CURE53 ] y está disponible a través de su sitio [http://minilock.io/ web]

== Instalar miniLock ==
MiniLock está disponible para descarga a partir de la tienda web de Chrome y es gratuito. Para poder instalarlo lo primero que tienes que hacer es en un navegador Chrome o Chromium ir a la página de [http://minilock.io/ miniLock] y dar clic en el enlace de descarga.

[[File:Minilock1.png|400px|center|alt=Descarga]]

Este enlace te dirigirá a a tienda google desde la cual tienes que añadir como una extensión a Chrome.

[[File:Minilock2.png|400px|center|alt=Añadir app]]

Una vez hecho esto la aplicación queda descargada y podrás utilizarla sin necesidad de abrir el navegador, aunque podrás acceder a ella también desde el navegador.

==Crear un ID en miniLock==
La primera vez que abres miniLock aparecerá una ventana que te pide ingresar un correo electrónico y una contraseña.

[[File:Minilock3.png|400px|center|alt=inicio]]

No es necesario que el correo electrónico tenga un dominio en uso, puedes invetar cualquier dominio. Para la contraseña se requiere una muy larga y si el sistema de miniLock no la califica como fuerte te sugerirá una.
'''Es muy necesario que te aprendas o almacenes de forma segura ésta contraseña.'''

[[File:Minilock4.png|400px|center|alt=Datos iniciales]]

Una vez corroborado que la contraseña es fuerte es necesario dar clic en la flecha y esto nos dirigirá a una nueva venta en la que aparece nuestra ID (puedes copiarla y guardarla en el sitio de tú preferencia para que puedas compartirla cuando quieres que te envíen una archivo cifrado para ti). En la misma ventana aparece un cuadro central que permite selección de tu sistema de ficheros cual es el archivo que quieres cifrar.

[[File:Minilock5.png|400px|center|alt=ID]] [[File:Minilock6.png|400px|center|alt=ID]]

Cuando el archivo es seleccionado se abrirá una ventana en la que está el nombre del archivo y espacio para ingresar la/s ID para quienes se cifrará el archivo, de inicio siempre incluye tu propia ID.

[[File:Minilock7.png|400px|center|alt=ID]]

Cuando se ha ingresado todas las ID para las cuales se quieren cifrar los archivos se puede dar clic en la flecha para continuar y se abrirá una nueva ventana en la que aparece el nombre del archivo pero ahora con la terminación .minilock, es necesario proceder a la descarga dando clic en la flecha.

[[File:Minilock8.png|400px|center|alt=ID]]

El archivo estará disponible dese el la carpeta de descargas.

[[File:Minilock9.png|400px|center|alt=ID]]

El archivo descargado es una versión cifrada del archivo original y puede ser enviado de forma segura.

== Descifrar un archivo en miniLock ==

Para descifrar un archivo desde la ventana de selección de archivos se elige el archivo a descifrar.

[[File:Minilock5.png|400px|center|alt=ID]]

Una vez hecho esto se abrirá una ventana que indica el nombre del archivo, el ID para quien fue cifrado y se puede dar clic en la flecha.

[[File:Minilock10.png|400px|center|alt=ID]]

Al hacerlo el archivo se descargará y aparecerá bajo el nombre del archivo ahora sin la terminación .minilock

[[File:Minilock11.png|400px|center|alt=ID]]

[[Category:How_To]]

Cifrar archivos con miniLock

2018-01-10T21:39:51Z

Anamhoo:

== ¿Qué es miniLock?==

[https://minilock.io MiniLock] es una aplicación que te permite cifrar archivos de forma sencilla. Su funcionamiento se basa en la generación de un identificador (ID) a partir de un correo electrónico, éste ID puede ser compartido para que cualquier persona que tenga miniLock pueda cifrar un archvio para ti. Su filosofía principal consiste en la simplilcidad, tratar de mantener el tamaño de los archivos y ser auditados. Para ello utiliza la librería de cifrado [http://tweetnacl.cr.yp.to/software.html TweeNaCl] transportado a [https://github.com/dchest/tweetnacl-js JavaScript]. La auditoría fue hecha por [https://cure53.de/ CURE53 ] y está disponible a través de su sitio [http://minilock.io/ web]

== Instalar miniLock ==
MiniLock está disponible para descarga a partir de la tienda web de Chrome y es gratuito. Para poder instalarlo lo primero que tienes que hacer es en un navegador Chrome o Chromium ir a la página de [http://minilock.io/ miniLock] y dar clic en el enlace de descarga.

[[File:Minilock1.png|400px|center|alt=Descarga]]

Este enlace te dirigirá a a tienda google desde la cual tienes que añadir como una extensión a Chrome.

[[File:Minilock2.png|400px|center|alt=Añadir app]]

Una vez hecho esto la aplicación queda descargada y podrás utilizarla sin necesidad de abrir el navegador, aunque podrás acceder a ella también desde el navegador.

==Crear un ID en miniLock==
La primera vez que abres miniLock aparecerá una ventana que te pide ingresar un correo electrónico y una contraseña.

[[File:Minilock3.png|400px|center|alt=inicio]]

No es necesario que el correo electrónico tenga un dominio en uso, puedes invetar cualquier dominio. Para la contraseña se requiere una muy larga y si el sistema de miniLock no la califica como fuerte te sugerirá una.
'''Es muy necesario que te aprendas o almacenes de forma segura ésta contraseña.'''

[[File:Minilock4.png|400px|center|alt=Datos iniciales]]

Una vez corroborado que la contraseña es fuerte es necesario dar clic en la flecha y esto nos dirigirá a una nueva venta en la que aparece nuestra ID (puedes copiarla y guardarla en el sitio de tú preferencia para que puedas compartirla cuando quieres que te envíen una archivo cifrado para ti). En la misma ventana aparece un cuadro central que permite selección de tu sistema de ficheros cual es el archivo que quieres cifrar.

[[File:Minilock5.png|400px|center|alt=ID]] [[File:Minilock6.png|400px|center|alt=ID]]

Cuando el archivo es seleccionado se abrirá una ventana en la que está el nombre del archivo y espacio para ingresar la/s ID para quienes se cifrará el archivo, de inicio siempre incluye tu propia ID.

[[File:Minilock7.png|400px|center|alt=ID]]

Cuando se ha ingresado todas las ID para las cuales se quieren cifrar los archivos se puede dar clic en la flecha para continuar y se abrirá una nueva ventana en la que aparece el nombre del archivo pero ahora con la terminación .minilock, es necesario proceder a la descarga dando clic en la flecha.

[[File:Minilock8.png|400px|center|alt=ID]]

El archivo estará disponible dese el la carpeta de descargas.

[[File:Minilock9.png|400px|center|alt=ID]]

El archivo descargado es una versión cifrada del archivo original y puede ser enviado de forma segura.

== Descifrar un archivo en miniLock ==

Para descifrar un archivo desde la ventana de selección de archivos se elige el archivo a descifrar.

[[File:Minilock5.png|400px|center|alt=ID]]

Una vez hecho esto se abrirá una ventana que indica el nombre del archivo, el ID para quien fue cifrado y se puede dar clic en la flecha.

[[File:Minilock10.png|400px|center|alt=ID]]

Al hacerlo el archivo se descargará y aparecerá bajo el nombre del archivo ahora sin la terminación .minilock

[[File:Minilock11.png|400px|center|alt=ID]]

[[Category:How_To]]

File:Minilock11.png

2018-01-10T21:39:29Z

Anamhoo:

File:Minilock10.png

2018-01-10T21:38:25Z

Anamhoo:

File:Minilock9.png

2018-01-10T21:37:16Z

Anamhoo:

File:Minilock8.png

2018-01-10T21:36:28Z

Anamhoo:

File:Minilock7.png

2018-01-10T21:35:48Z

Anamhoo:

File:Minilock6.png

2018-01-10T21:34:49Z

Anamhoo:

File:Minilock5.png

2018-01-10T21:33:26Z

Anamhoo:

File:Minilock4.png

2018-01-10T21:32:22Z

Anamhoo:

File:Minilock3.png

2018-01-10T21:31:33Z

Anamhoo:

File:Minilock2.png

2018-01-10T21:30:01Z

Anamhoo:

Cifrar archivos con miniLock

2018-01-10T21:28:03Z

Anamhoo: Created page with "== ¿Qué es miniLock?== [minilock.io MiniLock] es una aplicación que te permite cifrar archivos de forma sencilla. Su funcionamiento se basa en la generación de un identif..."

== ¿Qué es miniLock?==

[minilock.io MiniLock] es una aplicación que te permite cifrar archivos de forma sencilla. Su funcionamiento se basa en la generación de un identificador (ID) a partir de un correo electrónico, éste ID puede ser compartido para que cualquier persona que tenga miniLock pueda cifrar un archvio para ti. Su filosofía principal consiste en la simplilcidad, tratar de mantener el tamaño de los archivos y ser auditados. Para ello utiliza la librería de cifrado [http://tweetnacl.cr.yp.to/software.html TweeNaCl] transportado a [https://github.com/dchest/tweetnacl-js JavaScript]. La auditoría fue hecha por [https://cure53.de/ CURE53 ] y está disponible a través de su sitio [http://minilock.io/ web]

== Instalar miniLock ==
MiniLock está disponible para descarga a partir de la tienda web de Chrome y es gratuito. Para poder instalarlo lo primero que tienes que hacer es en un navegador Chrome o Chromium ir a la página de [http://minilock.io/ miniLock] y dar clic en el enlace de descarga.

[[File:Minilock1.png|400px|center|alt=Descarga]]

Este enlace te dirigirá a a tienda google desde la cual tienes que añadir como una extensión a Chrome.

Una vez hecho esto la aplicación queda descargada y podrás utilizarla sin necesidad de abrir el navegador, aunque podrás acceder a ella también desde el navegador.
==Crear un ID en miniLock==
La primera vez que abres miniLock aparecerá una ventana que te pide ingresar un correo electrónico y una contraseña. No es necesario que el correo electrónico tenga un dominio en uso, puedes invetar cualquier dominio. Para la contraseña se requiere una muy larga y si el sistema de miniLock no la califica como fuerte te sugerirá una.
'''Es muy necesario que te aprendas o almacenes de forma segura ésta contraseña.'''

Una vez corroborado que la contraseña es fuerte es necesario dar clic en la flecha y esto nos dirigirá a una nueva venta en la que aparece nuestra ID (puedes copiarla y guardarla en el sitio de tú preferencia para que puedas compartirla cuando quieres que te envíen una archivo cifrado para ti). En la misma ventana aparece un cuadro central que permite selección de tu sistema de ficheros cual es el archivo que quieres cifrar.

Cuando el archivo es seleccionado se abrirá una ventana en la que está el nombre del archivo y espacio para ingresar la/s ID para quienes se cifrará el archivo, de inicio siempre incluye tu propia ID.

Cuando se ha ingresado todas las ID para las cuales se quieren cifrar los archivos se puede dar clic en la flecha para continuar y se abrirá una nueva ventana en la que aparece el nombre del archivo pero ahora con la terminación .minilock, es necesario proceder a la descarga dando clic en la flecha.

El archivo estará disponible dese el la carpeta de descargas.

El archivo descargado es una versión cifrada del archivo original y puede ser enviado de forma segura.

== Descifrar un archivo en miniLock ==

Para descifrar un archivo desde la ventana de selección de archivos se elige el archivo a descifrar.

Una vez hecho esto se abrirá una ventana que indica el nombre del archivo, el ID para quien fue cifrado y se puede dar clic en la flecha.

Al hacerlo el archivo se descargará y aparecerá bajo el nombre del archivo ahora sin la terminación .minilock

[[Category:How_To]]

File:Minilock1.png

2018-01-10T21:26:28Z

Anamhoo:

Diagnósticos en seguridad digital para organizaciones defensoras de derechos humanos y del territorio: un manual para facilitadores.

2017-11-06T23:31:13Z

Anamhoo: /* Análisis del ambiente físico y de los equipos de cómputo */

[[File:01_ManualSD_TR.png|600px]]
== Presentando el manual ==
[[File:24_ManualSD_TR.png|center|600px|Introducción]]

En la mitología griega, Dedalus era un creador de artefactos, sus obras mostraban constantemente el profundo conflicto entre la innovación y su uso como herramienta del poder o la ambición. Como si fuese uno más de los artefactos de Dedalus, entre los sueños utópicos y las pesadillas, la tecnología actual no ha logrado escapar de sus propias paradojas. En el sueño de Dedalus, la innovación tecnológica serviría para volar y escapar del encierro pero en ese impulso humano de quedar cegado ante lo luminoso y la posibilidad, Ícaro, su hijo, llevó al límite el sueño.

Actualmente, la tecnología sigue jugando este papel: en el sueño potencia nuestra libertad y bienestar, pero se juega siempre en el límite. En el caso de las tecnologías de la información y la comunicación (TIC), como en la mitología, éstas nos dan la posibilidad de buscar la libertad traspasando fronteras, combatiendo discursos dominantes de odio, dando espacios para lo diverso, el encontrarnos y reconocernos, el compartir. Sin embargo, atadas a sus propias vulnerabilidades, las TIC exponen a quienes las usamos a riesgos como la vigilancia, el espionaje e incluso la manipulación.

El trabajo de los y las defensoras de los derechos humanos y del territorio, sin duda, se ha beneficiado del desarrollo de nuevas tecnologías para actividades importantes como comunicarnos, generar campañas, compartir información, hacer análisis, documentar casos y guardar datos. Al mismo tiempo, el uso de la tecnología ha generado nuevas vulnerabilidades, evidenciadas por eventos documentados, entre ellos: la infección de computadoras por autoridades gubernamentales con programas para vigilar, compra de equipos para monitorear llamadas, robo de computadoras a organizaciones sociales, pérdida/robo del celular con información personal y de trabajo que después se expuso en redes sociales, espionaje sobre redes sociales e intrusión en cuentas de correo o facebook.

La información que comúnmente nos llega sobre la capacidad de vigilancia que podría tener el Estado, algún cartel e incluso particulares, usando la tecnología, puede exacerbar el miedo y fomentar la autocensura. Puede parecer que solo hay dos opciones extremas: o ''usa la tecnología sin protección porque no hay nada que puedas hacer'' o ''destruyamos la tecnología''. En la práctica, esta disyuntiva se reduce a la decisión de usarla o no.

Nosotras abogamos por una postura distinta, que no parte de la desesperación, ni de responder con violencia, sino con auto-determinación: si bien la tecnología no es ni el principio ni el final del problema, un uso consciente puede potenciar nuestras acciones, evitar o mitigar vulnerabilidades y ayudar al cuidado colectivo.

A partir de nuestra propia experiencia dentro de colectivos, trabajo con organizaciones muy diversas e investigación, creemos que es importante generar estrategias y sumar a los análisis de seguridad de las organizaciones lo que se conoce como seguridad digital; que implica analizar nuestro uso de la tecnología, entender nuestras vulnerabilidades, encontrar herramientas que nos sean oportunas y desarrollar capacidades internas para integrarla dentro de un esquema general de seguridad.

Desafortunadamente, las organizaciones y colectivos, debido a problemas como la falta de tiempo, recursos o conocimientos, pocas veces cuentan con la oportunidad de generar esta integración de la seguridad digital como un proceso. Esto resulta frecuentemente en que al final las medidas acordadas se abandonan con el tiempo.

Desde las comunidades técnicas que tienen un compromiso social, existe también una dificultad para contribuir en estos procesos, ya que en muchos casos, si bien los conocimientos sobre seguridad digital pueden ser sólidos, la falta de estrategias pedagógicas o de experiencia sobre las condiciones reales en las que se desarrolla el trabajo cotidiano de las organizaciones, se crea una barrera que impide la comunicación y la transferencia de conocimientos.

Para que un proceso de seguridad digital sea apropiado efectivamente por las organizaciones, es fundamental que el conocimiento no se integre desde las voces expertas, sino desde el compartir y recrear. El paso inicial de tal proceso es el diagnóstico participativo.

En este manual, las '''Técnicas Rudas''' presentamos una propuesta metodológica para implementar diagnósticos de seguridad digital para organizaciones que trabajan en la defensa de los derechos humanos y/o del territorio. Este manual está dirigido especialmente a talleristas, facilitadores y expertos en seguridad digital que trabajen con organizaciones sociales. Sin embargo, creemos que puede ser útil para guiar a una organización que decida iniciar el proceso por sí misma.

La propuesta se caracteriza porque tiene una postura tecnopolítica e introduce una mirada feminista. En consecuencia, se basa en la educación popular como herramienta pedagógica.

==¿Cómo usar esta guía?==
[[File:02_ManualSD_TR.png|center|600px|Cómo?]]

Está guía esta enfocada en la comunidad de entrenadores o facilitadores en seguridad digital, pero también puede ser útil para una organización que ha tomado la decisión de iniciar su proceso de seguridad digital por sí misma. La estructura y las actividades propuestas puede y debe adaptarse a las circunstancias y necesidades específicas de la organización. La guía también puede ser una referencia útil para los facilitadores cuando llevan a cabo el diagnóstico de una organización o grupo. La metodología también puede aplicarse a evaluaciones individuales con ajustes mínimos.

=== ¿Por qué es necesaria la mirada tecnopolítica? ===

De forma superficial, el debate sobre las vulnerabilidades limita las consecuencias en el ámbito de la privacidad individual, generando una respuesta particularizada que se reduce a frases como “no tengo nada que ocultar", que no logra integrar el alcance social que estas tienen. Mientras que los especialistas buscan soluciones reduccionistas, como el que una aplicación se encargue de '''parchar vulnerabilidades'''.

[[File:03_ManualSD_TR.png|left|400px|Tecnopolitica]]Sin embargo, un análisis más profundo sobre la tecnología, da cuenta de cómo en las diferentes fases de los procesos tecnológicos existe una visión política-económica. Así, al momento de ser construida, se hace evidente la necesidad de analizar de dónde se obtienen los minerales indispensables para sus componentes, las manos de quienes trabajaron para su producción, las condiciones laborales; en dónde es producida y cómo llega a los mercados, el cómo estas mercancías serán consumidas, cruzadas por el género y la clase. Y al final serán desechadas bajo un esquema territorial del planeta, impuesto desde un porcentaje pequeño de la población que acumula la riqueza.

Esta mirada profunda que identificamos como tecnopolítica, ha hecho evidente que existe un interés económico en la obtención de datos personales a partir del uso de medios digitales. Por ejemplo, se puede ver la investigación de [https://chupadados.codingrights.org/es/ Coding Rights].

También han sido expuestas evidencias de vigilancia local y global. Por ejemplo, al momento de escribir este manual, en México se han mostrado evidencias de espionaje a periodistas y organizaciones defensoras de derechos humanos usando el software ''Pegasus''<ref>https://r3d.mx/2017/06/19/gobierno-espia/</ref>.

Para la región, en 2015, filtraciones de correos de la empresa Hacking Team evidenciaron la enorme inversión que gobiernos latinoamericanos habían hecho en hardware y software para la vigilancia<ref>https://www.derechosdigitales.org/wp-content/uploads/malware-para-la-vigilancia.pdf </ref>.

Sobre vigilancia masiva, el caso más conocido fue el de las [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 filtraciones] hechas por Edward Snowden en 2013, que mostraron un elaborado aparato de vigilancia global operada por la NSA (National Security Agency por sus siglas en inglés) de Estados Unidos <ref> https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29</ref>.

Considerando las condiciones sociales es importante alertar a quienes defienden los derechos humanos y el territorio que usan las TIC para sus comunicaciones, incluso como parte de sus estrategias de lucha, sobre sus vulnerabilidades.

La seguridad digital requiere una mirada tecnopolítica porque solo podrá responder certeramente a los retos actuales siendo sensible a las condiciones reales en las que las personas las usamos.

En la práctica, estas consideraciones se traducen en optar por software libre (ya que es transparente en su código y da la posibilidad de enriquecerlo), evitar contribuir en el desecho de tecnología o caer en el juego de la obsolescencia programada y tener prácticas pedagógicas que consideren aspectos sociales.

=== Las miradas feministas ===
[[File:04_ManualSD_TR.png|600px]]

Partimos de que no existe un feminismo, existen múltiples feminismos. Entre ellos, está el Transhackfeminismo que, si bien no cuenta con una definición clara (y probablemente no pretenda nunca una definición estática), rescata cuatro aspectos básicos:

a) El prefijo trans que hace referencia a la transformación, transgresión, transitoriedad; es el cambio y el saltar fronteras.

b) Hack, que en sus orígenes tiene que ver con trabajo mecánico que se repite. Es esa gota de agua que de tanto caer traspasa todo, es la esencia de Marie Curie procesando una tonelada de *Pechblenda* para obtener un gramo del material que le permitió descubrir el radio.

c) El feminismo como estas múltiples formas que han dado cuenta de cómo este sistema que sobrepone el capital a lo humano y ha basado su crecimiento en la explotación del cuerpo de la mujer, invisibiliza trabajos esenciales para la reproducción de la vida humana, discrimina y crea fracturas en las comunidades.

d) Desde la América Latina, '''la gran Abya Yala''', sumamos los feminismos comunitarios que introducen un ecofeminismo ligado a la tierra y descoloniza la mirada.

Desde el transhackfeminismo es posible ubicar la asimetría que hay para acceder al conocimiento y generar estrategias. Pone en el centro la comunalidad como nuestra base; cuestiona y desactiva las prácticas de poder al compartir conocimiento.

== La educación popular ==
[[File:05_ManualSD_TR.png|500px]]

Existen una gran variedad de prácticas pedagógicas en manuales de seguridad digital, en algunos casos sólo son recomendaciones sobre dinámicas, útiles, por ejemplo, para despertar a los participantes cuando están cansados, algunas otras van más lejos y emplean técnicas de educación para adultos. Nosotras decidimos trabajar a partir de la educación popular <ref>Sobrepasa los alcances de este manual detallar aspectos de la educación popular y existe numerosa bibliografía al respecto. Se puede iniciar revisando la obra de Paulo Freire (Por ejemplo: https://es.wikipedia.org/wiki/Paulo_Freire)</ref> , porque compartimos que:

a) Educar es un acto político en el que existen relaciones de poder y hay que romper con esos esquemas.

b) Creemos que la teoría y la práctica están dialécticamente relacionadas.

c) Como lo dice la etimología de la palabra: la conciencia proviene del conocimiento aprendido con otros/as.

d) Asumimos que ''el mundo no es, el mundo está siendo'' (Paulo Freire).

== Preparativos ==
[[File:06_ManualSD_TR.png|600px]]

Considerando que el diagnóstico contempla tanto actividades ''in situ'' como trabajo de gabinete, para tener una facilitación eficiente y segura es vital estar preparado. Lo que significa:

1. Entender el contexto tecnopolítico en el que se desenvuelve la organización.

2. Proveer a la organización de una explicación precisa de cómo se llevará a cabo el diagnóstico, su propósito y las expectativas sobre los miembros de la organización que participen.

3. Estar seguro que se cuenta con todos los insumos materiales necesarios.

A continuación damos una serie de ideas de cómo prepararse, pero es importante que cada paso sea asimilado en su esencia y tratar de adaptar de forma creativa las situaciones particulares.

== Investigación ==
[[File:26_ManualSD_TR.png|500px]]

a) Conociendo a la organización.

Tal vez la invitación a colaborar llegó por la conexión de una persona cercana y por transferencia de confianza se tienen premisas tácitas. Sin embargo, tanto para evaluar el riesgo para el equipo de facilitación como para el proceso de diagnóstico, es necesario ampliar lo más posible este conocimiento, investigar quiénes son y lo que trabajan.

Hay que tomar en cuenta que la idea no es hacer un análisis invasivo, convertirse en [https://en.wikipedia.org/wiki/Stalking stalkers] <ref>El término popularmente se refiere a una actitud obsesiva que se refleja en la búsqueda de información pero que puede llegar más lejos.</ref> o exponer a las organizaciones en su vulnerabilidad, porque esto podría crear desconfianza, incomodar a la organización o poner a los/las participantes a la defensiva. Es necesario ser sensibles y tener claridad en el límite de la búsqueda de información pública. De ser necesario, durante el trabajo *in situ* se pueden aportar mecanismos sobre cómo hilar entre los diferentes tipos de información pública que existen y la información que, sin estar totalmente pública, las empresas que se utilizan para servicios como correo electrónico o redes sociales, pueden tener y combinar para diferentes tipos de análisis.

Consideramos información pública necesaria para esta primera aproximación toda la que esté disponible en prensa, comunicados políticos, la que se encuentre en redes sociales, la que esté disponible en su sitio web (incluyendo información sobre el servidor en el que se aloja, el representante legal y técnico que se asocien al dominio y sus direcciones oficiales, la cual se obtiene fácilmente a partir de páginas como https://whois.net/default.aspx) y, si es posible, quien provee el servicio de correo electrónico.

A partir de esta información, se trata de contestar preguntas como: ¿Qué temas se abordan? ¿Quiénes podrían estar interesados en oponerse a este trabajo o a quiénes afecta este trabajo? ¿Qué tan públicas son las personas que trabajan en la organización? ¿Con qué otras personas o instituciones se les puede asociar? ¿En qué país se encuentra el servidor de su sitio web? ¿Cuál es la información personal identificable (IPI<ref>IPI Información Personal Identificable se refiere a toda aquella información sobre un individuo que es administrada por un tercero (por ejemplo: gobiernos o empresas), incluyendo todos aquellos datos que pueden ser distintivos del individuo o a partir de los cuales es posible rastrear su identidad y toda la información asociada o asociable al individuo (por ejemplo: el número de su pasaporte, su dirección física, la placa de matriculación de su coche, etc).</ref>) del personal dentro de todos los datos que se han encontrado? ¿Es posible ubicar geográficamente las instalaciones de la organización? ¿Se pueden conseguir teléfonos de las oficinas o sitios de trabajo y teléfonos personales? ¿Han tenido incidentes de seguridad o amenazas reportadas públicamente?

b) Análisis del contexto tecnopolítico regional, nacional y local.

Esto incluye conocer y relacionar las temáticas que trabaja la organización y las posturas que habría sobre las mismas a nivel gubernamental nacional, estatal y local. Es importante buscar si se han reportado indicios de compra de equipos o asociación con empresas dedicadas al espionaje o la vigilancia y si ha sido una práctica gubernamental documentada la represión o la vigilancia. También se puede buscar la trayectoria de gente que participe del gobierno local/estatal/nacional.

Asimismo, es relevante investigar marcos normativos que permiten la vigilancia, entender bajo qué causales se permiten y qué instituciones específicas pueden ejercerla. Si no existen reportes, tal vez es necesario llevar a cabo solicitudes de acceso a la información si se cuenta con ese mecanismo en el país en el que se trabaja.

c) Actualización sobre programas y herramientas.

Esto incluye conocer sobre equipos y software dedicados al espionaje (torres falsas de celular -IMSI catchers-, aplicaciones, bloqueadores de señal, aplicaciones que explotan vulnerabilidades), sus costos, funcionamiento y facilidad para obtenerlos.

También es útil que se conozca a las compañías y sus políticas de privacidad, así como las capas de seguridad de sus programas y fallos reportados para:

* Correo electrónico
* Servicios en línea (archivar y compartir documentos, calendarios, construcción de escritos colaborativos en tiempo real, etc.)
* Programas que se utilizan comúnmente para dar soporte en línea
* Redes sociales
* Sistemas operativos comunes

=== Materiales útiles ===
Para la sesión de análisis participativa: Lápiz de cera, rollos de papel [https://es.wikipedia.org/wiki/Papel_de_estraza kraft], plumones, marcadores para pizarrón, hojas tamaño carta, estambre o hilo grueso de colores. Etiquetas redondas de colores (verde, amarillo, rojo, azul), tijeras (si se viajará en avión hay que recordar ponerlas en el equipaje que no va en cabina o las perderán).

Para los diagnósticos de las computadoras: [[File:08_ManualSD_TR.png|200px]]

* Al menos dos memorias usb totalmente limpias. Si se han usado con anterioridad hay que asegurarse de no solo de borrar los datos, sino de reescribir sobre ellos antes de usarlas.
* Versiones en vivo<ref>Un sistema operativo en ''vivo'' (o ''Live'' en inglés), es un sistema que puede iniciarse sin necesidad de ser instalado en el disco duro de la computadora, comúnmente a partir de un disco o un dispositivo de almacenamiento externo (USB) o por medio de la red, usando imágenes para netboot. Los sistemas ''Live'' no alteran el sistema operativo local o sus archivos, en algunos casos puede seguirse un procedimiento para que sean instalados en el disco duro de la computadora.
</ref> de antivirus (por ejemplo: ESET SysRescue y AVIRA).
* Versión en vivo de un sistema operativo GNU-Linux.

Para el segundo día debes asegurar que puedes imprimir el reporte preliminar.

=== Planificación y comunicación de la agenda ===
Descartando el tiempo dedicado a los preparativos, la fase de análisis y redacción del informe final; la metodología de diagnóstico que proponemos requiere dos días seguidos de trabajo ''in situ''. Idealmente son 16 horas en las oficinas de la organización pero el equipo de facilitación debe estar preparado para destinar un poco más de tiempo durante esos días.

Tal vez una pregunta que salta es por qué dos días. Es el tiempo promedio máximo que, en nuestra experiencia, una organización puede inicialmente comprometerse para dedicar al proceso.

Dependiendo de cómo esté estructurada la organización, para el diagnóstico es crucial que participe al menos un miembro de cada área/equipo de trabajo. Esto debe quedar bien claro en la comunicación con la organización, ya que es frecuente que sólo se cite al personal que da mantenimiento a las computadoras y/o directivos. La intención de convocar al menos a una persona de cada área/equipo es tener una muestra lo más real posible de cómo cotidianamente se trabaja.

La forma en la que recomendamos que se reparta la agenda dentro de los horarios de oficina es:

'''Primer día'''

* Sesión matutina conjunta para un análisis de riesgos, guiada por dos personas del equipo de facilitación (aproximadamente 4 horas), una tercera persona se ocupará de iniciar el diagnóstico de los equipos de cómputo (estimamos que se invierten 20 minutos aproximadamente por equipo. En las siguientes secciones daremos más detalles).
* Sesión vespertina para evaluar computadoras (4-6 horas ).

Para la noche del primer día, es necesario que el equipo de facilitación se reúna para hacer una valuación de la sesión matutina y un primer análisis de hallazgos, confirmar agenda y prioridades para el siguiente día.

'''Segundo día'''

* Sesión matutina para concluir la revisión de los equipos de cómputo (4 horas aproximadamente).
* Redacción del reporte preliminar (2 horas).
* Sesión vespertina para presentar el reporte preliminar y la retroalimentación del mismo (2 horas ).

Los detalles sobre cada actividad se presentarán en las siguientes secciones.

[[File:09_ManualSD_TR.png|left|300px|Agenda]] Es muy importante comunicar de forma clara todas las actividades a desarrollar, tiempo esperado y personal de la organización que es requerido para las sesiones conjuntas, así como las necesidades y tiempos para el diagnóstico de los equipos de cómputo.

=== Planificación del viaje ===
[[File:10_ManualSD_TR.png|left|400px|Viaje]]La planificación del viaje se debe hacer contemplando presupuesto, evaluación de seguridad, condiciones para un buen descanso (tal vez toca dormir poco pero hay que poder dormir bien) y condiciones adecuadas para trabajo nocturno.

Sobrepasa los objetivos del presente manual hacer una descripción detallada sobre los cuatro aspectos; sin embargo, hay algunos recursos en línea que pueden ser de utilidad para orientarse (hemos puesto algunos en la sección de Referencias útiles).

Es necesario asegurar que toda la logística es correcta, como la dirección del lugar donde se llevará a cabo el diagnóstico, tener un número y persona de contacto, prever el tiempo y medio de transporte local y coordinar la entrada y salida de las oficinas, para estimar el tiempo que requerirá evaluar los equipos de cómputo y el ambiente físico.

== Cuidado colectivo ==
[[File:12_ManualSD_TR.png|left|600px|juntxs]]Una buena atmósfera de trabajo parte de la generación de espacios seguros, en los que existe un ambiente positivo de trabajo, se cuida de maximizar los niveles de energía y dedicación, tanto de las personas participantes como del equipo de facilitación.

Algunos preparativos que puedes considerar para el cuidado colectivo son:

1. Incluir como parte del servicio de café, fruta de temporada y agua.[[File:11_ManualSD_TR.png|200px]]

2. Es muy útil llevar semillas o alimentos que proveen energía para que el equipo de facilitación pueda consumir en momentos breves.

3. Es importante estar atentos de los/as participantes y de los/as integrantes del equipo de facilitación para poder detenerse a descansar en algunos momentos, aunque no estén en la agenda, o sugerir alguna dinámica energizante.

=== Equipo de facilitación ===

En nuestra experiencia, el equipo ideal está compuesto por tres personas por cada 8-12 participantes. Lo que se busca es contar con personas que cubran los siguientes aspectos:

* Conocimiento en el análisis de las computadoras y herramientas de seguridad digital.
* Conocimiento en técnicas pedagógicas.
* Capacidad de investigación.
* Trabajo en el tema de cuidados o acompañamiento psicológico a comunidades con estrés.

Es común que no se pueda contar con el equipo ideal. En su defecto, hay que tratar de apoyarse en recursos sobre el tema y que por cada facilitador no haya más de diez personas.

Si el equipo está compuesto por biohombres y biomujeres, es importante ser consciente que la tendencia en el trabajo con organizaciones es dar mayor peso a la palabra masculina en los aspectos técnicos o tal vez también pueden existir otras características dentro del equipo de facilitación que despierten asimetrías. Por lo tanto, es primordial tomar conciencia de los privilegios sociales que se le pueden atribuir a los diferentes miembros del equipo y tratar de mitigar prácticas jerarquizantes.

== Día 1 ==

[[File:13_ManualSD_TR.png|left|250px|Día 1]]

El trabajo ''in situ'' para el primer día se divide en dos partes: el trabajo colectivo y el inicio de la revisión de los equipos de cómputo y del ambiente físico.

=== Trabajo colectivo===
[[File:07_ManualSD_TR.png|600px]]

Es necesario llegar con anticipación para preparar el espacio de trabajo. Antes de iniciar la sesión:

* Colocar las sillas y las mesas en forma de medio círculo.
* Poner lápices de cera de colores y/o plumones y hojas en el centro de la mesa.
* Recortar y pegar tres columnas de papel kraft o [https://es.wikipedia.org/wiki/Papel_de_estraza estraza] sobre una pared visible para todos/as; estos deben ser tan largos como el equipo de facilitación alcance a escribir sobre de ellos.
* Recortar y pegar otra columna de papel kraft separada para el glosario.
* Pedir las contraseñas de internet por si es necesario investigar algo en el momento.

====Presentación====
Tiempo estimado: 10 minutos

La sesión inicia con una breve dinámica de presentación del equipo de facilitación y de los/as asistentes. En este punto se provee información sobre el equipo de facilitación así como de lo que se espera del diagnóstico. Se puede aprovechar para enfatizar que en el diagnóstico no hay respuestas buenas o respuestas malas, sino que hay lo que se hace, así, sin calificativos. Es primordial ser muy sensible para detectar si existe algún tipo de resistencia o temor por parte de algún participante, para verbalizarlo y hacer notar que el diagnóstico no es una evaluación hacia las personas, sino que busca conocer qué se hace y con qué se hace para sugerir un plan apropiado de seguridad digital. También hay que destacar que el equipo de facilitación sólo pretende ayudar a ir generando el diagnóstico pero que se parte del conocimiento que los/las participantes tienen, por lo que es indispensable su participación.

También como parte de la presentación es importante hacer acuerdos de formas de trabajo. En educación popular usamos:

* Forma es fondo
* La memoria es más extensa que la inteligencia.
* La memoria colectiva es más extensa que la memoria individual
* La letra con juego entra
* Nadie aprende en cabeza ajena
* Entre todos/as sabemos todo
* Nadie libera a nadie, nadie se libera solo. Nadie educa a nadie y nadie se educa solo
* Evitar negar a el/la compañero/a.
* Sumar la idea de el/la otro/a.
* Escucha activa
* Evitar calificativos
* Evitar monopolizar la palabra
* Para hacer más fructífera la discusión, ir sumando,no redundando en lo dicho
* No imponer ideas

====Actividad: Dibujar mi día al lado de la tecnología====
Tiempo estimado: 45 minutos

Objetivo: Conocer dispositivos, programas, aplicaciones que se usan y para qué se usan. Este ejercicio permite también conocer si los mismos dispositivos son usados para trabajo o actividades personales.

Descripción: Se pide a los/las asistentes que dibujen su día al lado de las tecnologías que ocupan (no sólo las de trabajo sino las que usan cotidianamente; por ejemplo, aplicaciones biométricas o de esparcimiento, como las de citas o sitios de taxi). Hay que mencionar que con esta actividad se busca una narrativa, así que para las personas que no se sienten tan cómodas dibujando, pueden escribir un texto.

Sugerencia: Antes de iniciar las presentaciones de los dibujos, podría ser útil dividir la primera columna del papel kraft en cuatro secciones: “Celular”, “Computadora”, “Celular+Computadora” y “Otros dispositivos”, para apuntar los usos de la tecnología bajo el tipo de dispositivo que más le corresponde.

Posteriormente, cada participante describe su dibujo. Mientras lo hace, un miembro del equipo de facilitación va apuntando en la primera columna de papel kraft los "Usos de la tecnología" que debe reflejar el dispositivo/aplicación y su uso, por ejemplo:

* Yo uso la alarma de mi celular para despertarme por la mañana.
* Uso mi computadora para escuchar música en Spotify.
* Utilizo una aplicación en mi celular para cuantificar mi pasos diarios.
* Uso Whatsapp en mi celular para compartir audios con mis colegas.
* Uso Dropbox para respaldar documentos de mi computadora.

Dependiendo de la cantidad de asistentes, no es necesario que todos/as expongan su dibujo; en todo caso, se puede pedir a algunos/as que lo hagan y después que el resto complemente si tiene algún uso que no se ha mencionado.

También cuando se sabe que hay aplicaciones que sirven tanto en el celular como en una computadora o tableta, hay que indagar si se usa sólo en un dispositivo o en todos.

Al final del ejercicio, tendremos una lista de usos de la tecnología.

====Actividad: ¿Qué información se produce?====
Tiempo estimado: 45 minutos

Objetivo: Detallar para cada uso de la tecnología, la información que se produce.
Descripción: Indicar para cada uso de la tecnología la información que se produce. Aunque parezca obvio, es necesario explicar a qué información se refiere. Por ejemplo, en el caso de una fotografía, la información que se produce no es en sí mismo el archivo digital que lo contiene, que puede ser un archivo .jpg o .png, sino lo que está en la foto; por ejemplo, qué es lo que fue tomado (un paisaje o personas), en qué momento, en qué lugar, etc. En el caso de una aplicación para taxis, la información que se produce va desde origen y destino, hasta frecuencia o forma de pago. Esta es una buena oportunidad para introducir el término '''Metadatos''' e incluirlo en el glosario. En este ejercicio es muy importante que se llegue al mayor detalle posible. La actividad se desarrolla completando la segunda columna de papel kraft con la información que se produce según el uso de la tecnología que se haya mencionado.

Al final del ejercicio, tendremos la lista de la información que generan la organización y sus integrantes.

====Actividad: Lluvia de actores====
Tiempo estimado: 30 minutos

Objetivo: Generar una extensa lista de actores que podrían tener un interés personal, político y/o económico de la información que la organización y su equipo de trabajo producen.

Descripción: La actividad consiste en discutir qué actores podrían estar interesados en cada información que se ha colocado en la lista. En esta actividad se tienen que verter todos los actores hipotéticos, sin descartar alguno, ya que en las siguientes actividades se podrán evaluar la motivación y recursos para quedarse con una lista más acotada.

Cabe explicar que la invitación es pensar en actores internacionales, nacionales, locales, políticos, grupos religiosos, periodistas, incluso en quienes pudieran tener algún tipo de interés personal, como particulares que tengan alguna inconformidad con el personal o la organización.

Durante la actividad se conecta a cada actor con la información que le podría interesar, usando plumones de colores por actor o usando estambre o hilo grueso para cada conexión. El equipo de facilitación, sin imponer puntos de vista, puede aportar información resultante de la investigación de contexto.

Tendremos una lista de actores relacionados con la información que produce la organización al finalizar el ejercicio.

====Actividad: Acotando actores====
Tiempo estimado: 40 minutos

Objetivo: Determinar actores que, además de tener motivación, podrían contar con los recursos necesarios para tratar de obtener información de la organización sin su consentimiento.

Descripción: Durante la actividad se discute sobre los actores mencionados: si cuentan con recursos o si se conoce que han implementando prácticas de vigilancia y/o espionaje. Se consideran recursos, no solo económicos, para poder llevar a cabo una acción: tener conocimientos, personas que pudieran ayudarles, relaciones con personas poderosas.

El equipo de facilitación debe aportar elementos sobre los diferentes tipos de recursos que se necesitan para intentar obtener información de la organización; por ejemplo: el robo de los equipos de cómputo, colocación de antenas falsas de celular, envío de malware (recordar que todos los términos nuevos se deben poner en el glosario, invitando a los participantes a escribir también).

El equipo de facilitación puede proveer de contexto sobre el marco legal y antecedentes de la vigilancia, para señalar cuáles actores están legalmente facultados para llevar a cabo la vigilancia; capacidad política o social/económica de influir sobre políticos y accesibilidad de la tecnología de vigilancia (capacidad técnica y económica).

Hay que recordar que este ejercicio tiene que ver con la percepción de cada participante, por lo que no es indispensable llegar a consensos, aunque es útil, y se puede dejar una anotación sobre las diferentes opiniones.

Con el ejercicio concluido, tendremos una lista acotada de actores que tienen capacidad de vigilancia, con interés en el trabajo de la organización.

====Actividad: El semáforo de la información====
Tiempo estimado: 40 minutos

Objetivo: Determinar qué información se considera sensible.

Descripción: Sobre la lista de información que la organización produce, para cada dato que pueda ser de interés para algún actor que se encuentra en la lista final de la actividad '''5''', se pregunta: ¿Qué harían los actores si obtienen la información? ¿Qué tan grave sería esto para la organización (sus campañas, la seguridad de sus contrapartes, la seguridad de las víctimas que acompaña, la seguridad de los integrantes de la organización, la reputación de la organización, su seguridad económica, etc.)? Si las consecuencias serían graves, poner un punto rojo. Si son consecuencias que llevan un costo importante para la organización pero son superables, un punto amarillo. Si es preferible que no ocurra pero el impacto sería mínimo o nulo, un punto verde.

Sugerencia: Insistir con los/las participantes que antes de elegir el color de semáforo justifiquen bien la elección. Por ejemplo, describiendo una situación hipotética y realista de la posible consecuencia o citando un caso parecido que haya sucedido, explicando cuál sería el impacto para la organización. Requiriendo una explicación de la propuesta de color de semáforo se fomentan la discusión y el debate entre los participantes, ayuda a que los resultados finales del diagnóstico estén realmente consensuados.

Al concluir la actividad, tendremos una lista de la información que se tiene que proteger de la vigilancia: todos los datos que tienen puntos rojos o amarillos.

====Actividad: Puertas y candados para la información====
Tiempo estimado: 15 minutos

[[File:16_ManualSD_TR.png|400px]]

Objetivo: Describir los mecanismos de protección que existen sobre la información sensible de la organización.

Descripción: Para toda la información que tiene que protegerse de la vigilancia, teniendo a la lista de “usos de tecnología” como referencia, preguntar dónde se encuentra esta información y cuáles medidas se han tomado hasta ahora para resguardarla y/o limitar el acceso de terceros a ella (llave, cifrado, contraseña, ubicación, temporalidad, nada, '''respaldos''', etc.). Apuntar las respuestas.

En esta actividad es necesario tratar de recuperar los saberes intuitivos que los miembros de la organización usan. Algunos no tendrán base alguna y puede ser un momento adecuado para eliminar falsos supuestos, pero en otros es posible sorprendernos con las estrategias que la gente desarrolla.

Al terminar el ejercicio, tendremos una lista de los usos de la tecnología por parte de la organización y sus integrantes, los cuales requieren la incorporación de mejores prácticas y herramientas de seguridad digital.

====Comentarios de cierre del trabajo colectivo====
Tiempo estimado: 15 minutos

Para poder concluir la sesión grupal se pregunta a los/as asistentes si en su percepción han tenido incidentes de seguridad en general y digital, en particular. Después, si se siente ansiedad o malestar en el grupo, hay que tratar de generar un diálogo sobre la importancia del diagnóstico como primer paso, proceso que nunca será perfecto sino que estará en transformación constante pero que será útil. Se puede recurrir a alguna dinámica corporal que ayude con el estrés.

[[File:22_ManualSD_TR.png|600px]]

Para cerrar, se explica que el siguiente paso es la revisión del ambiente físico y de los equipos de cómputo, enfatizando que no se trata de un análisis forense y que tampoco será el momento de instalar programas o arreglar problemas que se presentan, sino una mirada '''a vuelo de pájaro''' de estructura de la información que se guarda, programas, estado de antivirus. Hay que reforzar que no será un análisis que violente la privacidad, puesto que para algunas personas mostrar sus equipos de cómputo puede ser como mostrar el clóset de su habitación o el cajón que está al lado de la cama. También se aprovecha para recordar la importancia de contar con la total asistencia de quienes participarán en la sesión de retroalimentación de los hallazgos preliminares.

[[File:23_ManualSD_TR.png|left|450px|Celulares]]
Probablemente, un análisis más exhaustivo incluiría la revisión de móviles pero, a partir del análisis de las computadoras y de la actividad sobre usos de la tecnología, se pueden inferir muchas de las vulnerabilidades. Lo que se busca es no exponer a las personas en su intimidad. Concluyendo la sesión hay que recordar que la información deberá guardarse en un lugar seguro.

''Nota: Dependiendo del tiempo, se recomienda tomar uno o dos descansos.''

=== Análisis del ambiente físico y de los equipos de cómputo ===
[[File:17_ManualSD_TR.png|right|350px|Ambiente]]La seguridad digital depende también de las condiciones ambientales en las que se usan los dispositivos. Por tanto, es pertinente realizar una evaluación sistemática de algunos aspectos específicos de las instalaciones de trabajo, incluyendo:

a) La facilidad para acceder a la oficina: cuántas puertas y ventanas tiene y si están bien protegidas, si es fácil acceder desde alguna construcción vecina, etc.

b) Si la oficina cuenta con portero y si se cumple el protocolo acordado con él para el ingreso.

c) La existencia de alarmas y cámaras de seguridad. En caso de contar con cámaras, hay que asegurarse que funcionan y si graban. En ese caso, preguntar la existencia de protocolos para revisar los videos. También si tienen una pila para la alarma, en caso de un corte de energía eléctrica.

d) Si en la oficina hay espacios que se cierran bajo llave, conocer quiénes tienen las llaves y acceso a qué espacio. Si hay archiveros, también saber quiénes.

e) Otro aspecto a evaluar es si se recibe a gente externa a la organización en una sala en particular, y si los/as visitantes podrían desde ahí dirigirse fácilmente a otra área dentro de la oficina (se busca saber si es posible robar equipos o dejar un dispositivo tipo keylogger).

f) Estado de la construcción, especialmente si hay humedad, y si las conexiones eléctricas están en buen estado. También verificar si hay sobrecarga de dispositivos en una misma conexión y si se usan reguladores.

Como parte de esta revisión general hay que observar si las computadoras están conectadas usando una red inalámbrica o por ethernet, la configuración de la red, la fortaleza de la contraseña de la red inalámbrica, si el módem ha cambiado su configuración de origen y la compañía que ofrece el servicio.

Para la revisión de los equipos de cómputo hay que recordar que no se trata de un análisis forense y la profundidad con la que se realice depende de los conocimientos técnicos del equipo de facilitadores y el tiempo. En caso de sospechar la presencia de '''malware''', si se quiere documentar para tomar acciones legales, es mejor no trabajar sobre el equipo y generar una copia. Por sí mismo, esto es un trabajo independiente, pero si se requiere se puede iniciar con un sistema en vivo GNU-Linux (el comando ''dd'' puede ser una opción).

Considerando el tiempo promedio que requiere el análisis de las computadoras, recomendamos intentar hacer al menos 10 equipos que correspondan a las diferentes áreas de trabajo, ya que lo que se pretende es tener una muestra lo más completa posible.

El análisis de las computadoras se concentra en tres puntos: a) vulnerabilidades en los equipos por ausencia de antivirus, desactivación de firewall o falta de actualizaciones de seguridad; b) instalación y uso de programas que tienen vulnerabilidades, malware, adware u otro tipo de software malicioso; c) exposición por uso del navegador de internet.

Para poder evaluar los puntos anteriores, en el caso del sistema operativo Windows, desde la terminal cmd se pueden usar los siguientes comandos: systeminfo, tasklist y wmic product get name,version. Después se va al visor de eventos y se guardan los logs de eventos de seguridad, de hardware, aplicación, administrativos, instalación y sistema para una revisión rápida.

En OS X puedes usar Información del sistema y la consola para mirar los logs. En GNU-Linux hay una variedad amplia de comandos para listar programas y ver los logs.

Se revisa el estado de firewall.

Se detecta si se tiene antivirus, versión de la base de datos y logs. Si no se tiene antivirus o está desactivado se debe considerar usar una de las versiones en vivo.

Se revisa que navegador/es se usan, guardado del historial, guardado de contraseñas y plugins instalados.

'''Sugerencia''': dependiendo de las habilidades del equipo de facilitación, se puede generar un ''script'' para automatizar la revisión del firewall y de los logs.

'''Sugerencia''': Al revisar los logs también es posible automatizarlos mediante un ''script'', es importante poner atención en las direcciones IP recurrentes.

'''Sugerencia''': Puedes hacer un mapeo completo de la red para verificar equipos conectados y usuarios. Para la Wifi puedes verificar tipo de cifrado, vpn y/o vlan.

== Evaluación del día y revisión de archivos ==
[[File:18_ManualSD_TR.png|right|400px|Análisis]]
Para lograr concluir el trabajo en tiempo, el tener una breve reunión de evaluación en la que se puedan intercambiar observaciones, posibilidades para el segundo día, preocupaciones, aspectos positivos del trabajo y cómo se siente el equipo de facilitación, hará más eficiente el tiempo restante.

A partir de la reunión general y los primeros resultados de los equipos de cómputo, se puede iniciar ya la sistematización para la redacción del informe preliminar. En el anexo 1 podrás encontrar una propuesta de formato. El objetivo en general es organizar la información, considerando los riesgos encontrados y, a partir de ello, proponer una ruta de fortalecimiento en seguridad digital para la organización.

El informe debe considerar:

* Hallazgos de la evaluación del ambiente físico.
* Análisis de amenazas a la información:
a) Riesgo: Pérdida de información por fallo de hardware, robo o pérdida de hardware, o error humano

b) Riesgo: Pérdida de información por ataque de malware y

c) Riesgo: Vigilancia o robo de datos.

* Recomendaciones.

Para este momento se tendrá además mucha información que revisar y procesar. Sobre los archivos que se tienen de los equipos, hay que evaluar programas instalados y, si hay algunos que son poco comunes, investigar sobre ellos. '''En otros casos se conocen más las vulnerabilidades''', por ejemplo: en programas para comunicación por voz si usan o no cifrado en tránsito. Para los logs, lo que se necesita es una vista '''a vuelo de pájaro''', entonces se tiene que relacionar la información con lo que la gente ha manifestado que hace o detectar si se reportó algún incidente extraño. Por ejemplo, si el trabajo en la oficina es siempre matutino, será anormal encontrar que hay un reporte de inicio del sistema por la noche. También hay que familiarizarse con los procesos que comúnmente se ejecutan en los diferentes sistemas operativos para observar si hay procesos inusuales.

La profundidad con la que se logre la revisión de eventos del sistema y lista de tareas, depende mucho de los conocimientos y la experiencia que tiene el equipo de facilitación. Para introducirse en el tema es útil investigar aspectos como los programas comunes de inicio de los sistemas operativos y los códigos de errores. La idea muchas veces no es encontrar un error sino buscar patrones y anomalías.

== Día 2 ==
[[File:13_ManualSD_TR.png|left|200px|sol]] La jornada del segundo día consiste en tres etapas: 1) Primera conclusión de la revisión de los equipos de cómputo; 2) la redacción del informe preliminar; y 3) la discusión del mismo con la organización.

=== Conclusión del análisis de equipos de cómputo y redacción del informe preliminar ===

Lo deseable es ocupar entre tres y cuatro horas para terminar con la revisión de los equipos para dejar suficiente tiempo para concluir el informe preliminar (aproximadamente dos horas) y reservar unos minutos para la impresión.

En la redacción del informe hay que tener cuidado con proveer una argumentación sólida que justifique las recomendaciones. Si bien el objetivo no es redactar una explicación extensa sobre cada vulnerabilidad encontrada, en algunos casos ayudará para apropiarse de la propuesta, entender el por qué algo es considerado un riesgo. El informe debe poder hilar aspectos de contexto social, político y económico con aspectos más técnicos. También, sin minimizar los riesgos, se debe ser responsable con la forma en la que se plantean las vulnerabilidades.

Las recomendaciones deben asumir las condiciones reales de cada organización. A veces la mejor opción es la que, en efecto, se podrá implementar; de nada sirve proponer cambiar de equipos o poner un servidor interno si no hay condiciones. Sin embargo, es posible sugerir recomendaciones a largo plazo. Las propuestas deben ser claras respecto a los requerimientos para ser implementadas, incluyendo los tiempos. En nuestra experiencia, es importante poder comprometer a la organización en acciones a corto plazo que alienten su interés y visibilicen que es posible tomar algunas acciones. De tal forma, la seguridad como un paso a la vez, se fortalece con prácticas más autónomas.

En el Anexo I se encontrará se sugiere una plantilla para que facilitar el proceso de redacción del reporte preliminar.

===Presentación del informe preliminar ===
[[File:20_ManualSD_TR.png|600px]]

El tiempo estimado para esta actividad es de dos horas. Se inicia explicando que el informe es una primera versión que tiene como objetivo compartir con la organización los hallazgos y las recomendaciones, que es un momento valioso para hacer cambios por si se ha entendido mal alguna cosa o si hay información que no quedó incluida, y que se alcance un acuerdo interno con el equipo de facilitación respecto a las recomendaciones finales.

Se dan unos minutos para que cada participante lea el informe y, posteriormente, se hace una lectura colectiva, dando la oportunidad para la retroalimentación.

En la sección de recomendaciones es fundamental que quede claro lo que se propone, tiempos, y las razones por las cuales se hace cada recomendación.

Finalmente, se crea un acuerdo sobre el medio oportuno para hacer la entrega del informe final y la confidencialidad de la información, acordar como se destruye el papel kraft usado y si es necesario destruir también las copias del informe preliminar. Si aún queda algo de tiempo se puede pedir una breve evaluación de los/as participantes sobre la experiencia del diagnóstico en el ánimo de hacerlo cada vez mejor.

En el caso de que el equipo facilitador tenga que conservar algunos archivos del análisis de computadoras para un análisis más profundo, debe considerar la vía más segura para transportarlos, guardarlos y borrarlos posteriormente.

== Diagnóstico final ==
[[File:19_ManualSD_TR.png|left|300px|Informe]] La versión final del informe del diagnóstico debe incluir todos los cambios sugeridos en la reunión de retroalimentación. Su elaboración es una oportunidad para añadir una argumentación más detallada sobre vulnerabilidades, empresas, condiciones económicas y/o políticas. Inevitablemente implicaría investigación adicional para poder llenar huecos de información que no se pudieron resolver durante la actividad de análisis de amenazas, y para contar con la información más actualizada sobre las herramientas cuyas ventajas y desventajas se evaluaron. La investigación es fundamental para maximizar la pertinencia de las recomendaciones y la claridad de su justificación.

[[File:21_ManualSD_TR.png|right|300px|Envio]]El último paso en el diagnóstico es hacer llegar el reporte final a la organización. Es importante que se envíe por un medio seguro, ya que el reporte puede contener información altamente sensible sobre la organización, y también para establecer un buen antecedente al manejar cuidadosamente el transporte de información sensible.

== Recursos útiles ==

Sin duda, mantenerse actualizado sobre las herramientas y tener acceso a información que nos ayude en los proceso formativos de seguridad digital, es complicado. A continuación, listamos algunos recursos útiles, pero hay que recordar que los cambios en el tema se están dando en tiempos muy cortos, por lo que hay que buscar actualizarse y, si se tiene la oportunidad, compartir los recursos que se encuentren con la comunidad.

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual/es Manual Zen]
* [https://securityinabox.org/es/ Seguridad en una caja]
* [https://ssd.eff.org/es Autoprotección Digital Contra La Vigilancia: Consejos, Herramientas y Guías Para Tener Comunicaciones Más Seguras]
* Documentos de [https://karisma.org.co/biblioteca/ Fundación Karisma]
* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

En inglés:

* [https://holistic-security.tacticaltech.org Seguridad holística]
* [https://safetag.org/ SAFETAG]
* [https://level-up.cc/ Level-up]

==Agradecimientos ==
[[File:25_ManualSD_TR.png|300px]]

Agradecemos profundamente a Jacobo Nájera, Hedme Sierra Castro y William Vides por su revisión de la versión en español y a Alexandra Hache por la lectura de la primera versión de este documento. Agradecemos también a Mónica Ortiz por la corrección ortográfica y de estilo.

==Créditos ==
Esta guía fue escrita por [http://tecnicasrudas.org Técnicas Rudas] con el apoyo del "Institute for War
and Peace Reporting" [http://iwpr.net IWPR].

<gallery>
IWPR-LOGO.png|IWPR
LogoTR.png|Técnicas Rudas
</gallery>

Diseño: María Silva y Yutsil Mangas

==Anexo I==
[https://gendersec.tacticaltech.org/wiki/images/8/8c/Diagn%C3%B3sticoSeguridadDigital_InformePreliminar_Plantilla.odt Plantilla para el reporte final del Diagnóstico en Seguridad Digital]

==Referencias==

[[Category:How_To]]
[[Category:Resources]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-11-06T23:28:15Z

Anamhoo: /* Computer diagnostics and evaluation of facilities */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic product get name,version. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|300px]] [[File:IWPR-LOGO.png|350px]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

==Spanish version==
[https://gendersec.tacticaltech.org/wiki/index.php/Diagn%C3%B3sticos_en_seguridad_digital_para_organizaciones_defensoras_de_derechos_humanos_y_del_territorio:_un_manual_para_facilitadores Spanish guide]

== References ==

[[Category:How_To]]

Diagnósticos en seguridad digital para organizaciones defensoras de derechos humanos y del territorio: un manual para facilitadores

2017-11-02T14:06:40Z

Anamhoo:

[[File:01_ManualSD_TR.png|600px]]
== Presentando el manual ==
[[File:24_ManualSD_TR.png|center|600px|Introducción]]

En la mitología griega, Dedalus era un creador de artefactos, sus obras mostraban constantemente el profundo conflicto entre la innovación y su uso como herramienta del poder o la ambición. Como si fuese uno más de los artefactos de Dedalus, entre los sueños utópicos y las pesadillas, la tecnología actual no ha logrado escapar de sus propias paradojas. En el sueño de Dedalus, la innovación tecnológica serviría para volar y escapar del encierro pero en ese impulso humano de quedar cegado ante lo luminoso y la posibilidad, Ícaro, su hijo, llevó al límite el sueño.

Actualmente, la tecnología sigue jugando este papel: en el sueño potencia nuestra libertad y bienestar, pero se juega siempre en el límite. En el caso de las tecnologías de la información y la comunicación (TIC), como en la mitología, éstas nos dan la posibilidad de buscar la libertad traspasando fronteras, combatiendo discursos dominantes de odio, dando espacios para lo diverso, el encontrarnos y reconocernos, el compartir. Sin embargo, atadas a sus propias vulnerabilidades, las TIC exponen a quienes las usamos a riesgos como la vigilancia, el espionaje e incluso la manipulación.

El trabajo de los y las defensoras de los derechos humanos y del territorio, sin duda, se ha beneficiado del desarrollo de nuevas tecnologías para actividades importantes como comunicarnos, generar campañas, compartir información, hacer análisis, documentar casos y guardar datos. Al mismo tiempo, el uso de la tecnología ha generado nuevas vulnerabilidades, evidenciadas por eventos documentados, entre ellos: la infección de computadoras por autoridades gubernamentales con programas para vigilar, compra de equipos para monitorear llamadas, robo de computadoras a organizaciones sociales, pérdida/robo del celular con información personal y de trabajo que después se expuso en redes sociales, espionaje sobre redes sociales e intrusión en cuentas de correo o facebook.

La información que comúnmente nos llega sobre la capacidad de vigilancia que podría tener el Estado, algún cartel e incluso particulares, usando la tecnología, puede exacerbar el miedo y fomentar la autocensura. Puede parecer que solo hay dos opciones extremas: o ''usa la tecnología sin protección porque no hay nada que puedas hacer'' o ''destruyamos la tecnología''. En la práctica, esta disyuntiva se reduce a la decisión de usarla o no.

Nosotras abogamos por una postura distinta, que no parte de la desesperación, ni de responder con violencia, sino con auto-determinación: si bien la tecnología no es ni el principio ni el final del problema, un uso consciente puede potenciar nuestras acciones, evitar o mitigar vulnerabilidades y ayudar al cuidado colectivo.

A partir de nuestra propia experiencia dentro de colectivos, trabajo con organizaciones muy diversas e investigación, creemos que es importante generar estrategias y sumar a los análisis de seguridad de las organizaciones lo que se conoce como seguridad digital; que implica analizar nuestro uso de la tecnología, entender nuestras vulnerabilidades, encontrar herramientas que nos sean oportunas y desarrollar capacidades internas para integrarla dentro de un esquema general de seguridad.

Desafortunadamente, las organizaciones y colectivos, debido a problemas como la falta de tiempo, recursos o conocimientos, pocas veces cuentan con la oportunidad de generar esta integración de la seguridad digital como un proceso. Esto resulta frecuentemente en que al final las medidas acordadas se abandonan con el tiempo.

Desde las comunidades técnicas que tienen un compromiso social, existe también una dificultad para contribuir en estos procesos, ya que en muchos casos, si bien los conocimientos sobre seguridad digital pueden ser sólidos, la falta de estrategias pedagógicas o de experiencia sobre las condiciones reales en las que se desarrolla el trabajo cotidiano de las organizaciones, se crea una barrera que impide la comunicación y la transferencia de conocimientos.

Para que un proceso de seguridad digital sea apropiado efectivamente por las organizaciones, es fundamental que el conocimiento no se integre desde las voces expertas, sino desde el compartir y recrear. El paso inicial de tal proceso es el diagnóstico participativo.

En este manual, las '''Técnicas Rudas''' presentamos una propuesta metodológica para implementar diagnósticos de seguridad digital para organizaciones que trabajan en la defensa de los derechos humanos y/o del territorio. Este manual está dirigido especialmente a talleristas, facilitadores y expertos en seguridad digital que trabajen con organizaciones sociales. Sin embargo, creemos que puede ser útil para guiar a una organización que decida iniciar el proceso por sí misma.

La propuesta se caracteriza porque tiene una postura tecnopolítica e introduce una mirada feminista. En consecuencia, se basa en la educación popular como herramienta pedagógica.

=== ¿Por qué es necesaria la mirada tecnopolítica? ===

De forma superficial, el debate sobre las vulnerabilidades limita las consecuencias en el ámbito de la privacidad individual, generando una respuesta particularizada que se reduce a frases como “no tengo nada que ocultar", que no logra integrar el alcance social que estas tienen. Mientras que los especialistas buscan soluciones reduccionistas, como el que una aplicación se encargue de '''parchar vulnerabilidades'''.

[[File:03_ManualSD_TR.png|left|400px|Tecnopolitica]]Sin embargo, un análisis más profundo sobre la tecnología, da cuenta de cómo en las diferentes fases de los procesos tecnológicos existe una visión política-económica. Así, al momento de ser construida, se hace evidente la necesidad de analizar de dónde se obtienen los minerales indispensables para sus componentes, las manos de quienes trabajaron para su producción, las condiciones laborales; en dónde es producida y cómo llega a los mercados, el cómo estas mercancías serán consumidas, cruzadas por el género y la clase. Y al final serán desechadas bajo un esquema territorial del planeta, impuesto desde un porcentaje pequeño de la población que acumula la riqueza.

Esta mirada profunda que identificamos como tecnopolítica, ha hecho evidente que existe un interés económico en la obtención de datos personales a partir del uso de medios digitales. Por ejemplo, se puede ver la investigación de [https://chupadados.codingrights.org/es/ Coding Rights].

También han sido expuestas evidencias de vigilancia local y global. Por ejemplo, al momento de escribir este manual, en México se han mostrado evidencias de espionaje a periodistas y organizaciones defensoras de derechos humanos usando el software ''Pegasus''<ref>https://r3d.mx/2017/06/19/gobierno-espia/</ref>.

Para la región, en 2015, filtraciones de correos de la empresa Hacking Team evidenciaron la enorme inversión que gobiernos latinoamericanos habían hecho en hardware y software para la vigilancia<ref>https://www.derechosdigitales.org/wp-content/uploads/malware-para-la-vigilancia.pdf </ref>.

Sobre vigilancia masiva, el caso más conocido fue el de las [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 filtraciones] hechas por Edward Snowden en 2013, que mostraron un elaborado aparato de vigilancia global operada por la NSA (National Security Agency por sus siglas en inglés) de Estados Unidos <ref> https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29</ref>.

Considerando las condiciones sociales es importante alertar a quienes defienden los derechos humanos y el territorio que usan las TIC para sus comunicaciones, incluso como parte de sus estrategias de lucha, sobre sus vulnerabilidades.

La seguridad digital requiere una mirada tecnopolítica porque solo podrá responder certeramente a los retos actuales siendo sensible a las condiciones reales en las que las personas las usamos.

En la práctica, estas consideraciones se traducen en optar por software libre (ya que es transparente en su código y da la posibilidad de enriquecerlo), evitar contribuir en el desecho de tecnología o caer en el juego de la obsolescencia programada y tener prácticas pedagógicas que consideren aspectos sociales.

=== Las miradas feministas ===
[[File:04_ManualSD_TR.png|600px]]

Partimos de que no existe un feminismo, existen múltiples feminismos. Entre ellos, está el Transhackfeminismo que, si bien no cuenta con una definición clara (y probablemente no pretenda nunca una definición estática), rescata cuatro aspectos básicos:

a) El prefijo trans que hace referencia a la transformación, transgresión, transitoriedad; es el cambio y el saltar fronteras.

b) Hack, que en sus orígenes tiene que ver con trabajo mecánico que se repite. Es esa gota de agua que de tanto caer traspasa todo, es la esencia de Marie Curie procesando una tonelada de *Pechblenda* para obtener un gramo del material que le permitió descubrir el radio.

c) El feminismo como estas múltiples formas que han dado cuenta de cómo este sistema que sobrepone el capital a lo humano y ha basado su crecimiento en la explotación del cuerpo de la mujer, invisibiliza trabajos esenciales para la reproducción de la vida humana, discrimina y crea fracturas en las comunidades.

d) Desde la América Latina, '''la gran Abya Yala''', sumamos los feminismos comunitarios que introducen un ecofeminismo ligado a la tierra y descoloniza la mirada.

Desde el transhackfeminismo es posible ubicar la asimetría que hay para acceder al conocimiento y generar estrategias. Pone en el centro la comunalidad como nuestra base; cuestiona y desactiva las prácticas de poder al compartir conocimiento.

=== La educación popular ===
[[File:05_ManualSD_TR.png|500px]]

Existen una gran variedad de prácticas pedagógicas en manuales de seguridad digital, en algunos casos sólo son recomendaciones sobre dinámicas, útiles, por ejemplo, para despertar a los participantes cuando están cansados, algunas otras van más lejos y emplean técnicas de educación para adultos. Nosotras decidimos trabajar a partir de la educación popular <ref>Sobrepasa los alcances de este manual detallar aspectos de la educación popular y existe numerosa bibliografía al respecto. Se puede iniciar revisando la obra de Paulo Freire (Por ejemplo: https://es.wikipedia.org/wiki/Paulo_Freire)</ref> , porque compartimos que:

a) Educar es un acto político en el que existen relaciones de poder y hay que romper con esos esquemas.

b) Creemos que la teoría y la práctica están dialécticamente relacionadas.

c) Como lo dice la etimología de la palabra: la conciencia proviene del conocimiento aprendido con otros/as.

d) Asumimos que ''el mundo no es, el mundo está siendo'' (Paulo Freire).

==¿Cómo usar esta guía?==
[[File:02_ManualSD_TR.png|center|600px|Cómo?]]

Está guía esta enfocada en la comunidad de entrenadores o facilitadores en seguridad digital, pero también puede ser útil para una organización que ha tomado la decisión de iniciar su proceso de seguridad digital por sí misma. La estructura y las actividades propuestas puede y debe adaptarse a las circunstancias y necesidades específicas de la organización. La guía también puede ser una referencia útil para los facilitadores cuando llevan a cabo el diagnóstico de una organización o grupo. La metodología también puede aplicarse a evaluaciones individuales con ajustes mínimos.
== Preparativos ==
[[File:06_ManualSD_TR.png|600px]]

Considerando que el diagnóstico contempla tanto actividades ''in situ'' como trabajo de gabinete, para tener una facilitación eficiente y segura es vital estar preparado. Lo que significa:

1. Entender el contexto tecnopolítico en el que se desenvuelve la organización.

2. Proveer a la organización de una explicación precisa de cómo se llevará a cabo el diagnóstico, su propósito y las expectativas sobre los miembros de la organización que participen.

3. Estar seguro que se cuenta con todos los insumos materiales necesarios.

A continuación damos una serie de ideas de cómo prepararse, pero es importante que cada paso sea asimilado en su esencia y tratar de adaptar de forma creativa las situaciones particulares.

== Investigación ==
[[File:26_ManualSD_TR.png|500px]]

a) Conociendo a la organización.

Tal vez la invitación a colaborar llegó por la conexión de una persona cercana y por transferencia de confianza se tienen premisas tácitas. Sin embargo, tanto para evaluar el riesgo para el equipo de facilitación como para el proceso de diagnóstico, es necesario ampliar lo más posible este conocimiento, investigar quiénes son y lo que trabajan.

Hay que tomar en cuenta que la idea no es hacer un análisis invasivo, convertirse en [https://en.wikipedia.org/wiki/Stalking stalkers] <ref>El término popularmente se refiere a una actitud obsesiva que se refleja en la búsqueda de información pero que puede llegar más lejos.</ref> o exponer a las organizaciones en su vulnerabilidad, porque esto podría crear desconfianza, incomodar a la organización o poner a los/las participantes a la defensiva. Es necesario ser sensibles y tener claridad en el límite de la búsqueda de información pública. De ser necesario, durante el trabajo *in situ* se pueden aportar mecanismos sobre cómo hilar entre los diferentes tipos de información pública que existen y la información que, sin estar totalmente pública, las empresas que se utilizan para servicios como correo electrónico o redes sociales, pueden tener y combinar para diferentes tipos de análisis.

Consideramos información pública necesaria para esta primera aproximación toda la que esté disponible en prensa, comunicados políticos, la que se encuentre en redes sociales, la que esté disponible en su sitio web (incluyendo información sobre el servidor en el que se aloja, el representante legal y técnico que se asocien al dominio y sus direcciones oficiales, la cual se obtiene fácilmente a partir de páginas como https://whois.net/default.aspx) y, si es posible, quien provee el servicio de correo electrónico.

A partir de esta información, se trata de contestar preguntas como: ¿Qué temas se abordan? ¿Quiénes podrían estar interesados en oponerse a este trabajo o a quiénes afecta este trabajo? ¿Qué tan públicas son las personas que trabajan en la organización? ¿Con qué otras personas o instituciones se les puede asociar? ¿En qué país se encuentra el servidor de su sitio web? ¿Cuál es la información personal identificable (IPI<ref>IPI Información Personal Identificable se refiere a toda aquella información sobre un individuo que es administrada por un tercero (por ejemplo: gobiernos o empresas), incluyendo todos aquellos datos que pueden ser distintivos del individuo o a partir de los cuales es posible rastrear su identidad y toda la información asociada o asociable al individuo (por ejemplo: el número de su pasaporte, su dirección física, la placa de matriculación de su coche, etc).</ref>) del personal dentro de todos los datos que se han encontrado? ¿Es posible ubicar geográficamente las instalaciones de la organización? ¿Se pueden conseguir teléfonos de las oficinas o sitios de trabajo y teléfonos personales? ¿Han tenido incidentes de seguridad o amenazas reportadas públicamente?

b) Análisis del contexto tecnopolítico regional, nacional y local.

Esto incluye conocer y relacionar las temáticas que trabaja la organización y las posturas que habría sobre las mismas a nivel gubernamental nacional, estatal y local. Es importante buscar si se han reportado indicios de compra de equipos o asociación con empresas dedicadas al espionaje o la vigilancia y si ha sido una práctica gubernamental documentada la represión o la vigilancia. También se puede buscar la trayectoria de gente que participe del gobierno local/estatal/nacional.

Asimismo, es relevante investigar marcos normativos que permiten la vigilancia, entender bajo qué causales se permiten y qué instituciones específicas pueden ejercerla. Si no existen reportes, tal vez es necesario llevar a cabo solicitudes de acceso a la información si se cuenta con ese mecanismo en el país en el que se trabaja.

c) Actualización sobre programas y herramientas.

Esto incluye conocer sobre equipos y software dedicados al espionaje (torres falsas de celular -IMSI catchers-, aplicaciones, bloqueadores de señal, aplicaciones que explotan vulnerabilidades), sus costos, funcionamiento y facilidad para obtenerlos.

También es útil que se conozca a las compañías y sus políticas de privacidad, así como las capas de seguridad de sus programas y fallos reportados para:

* Correo electrónico
* Servicios en línea (archivar y compartir documentos, calendarios, construcción de escritos colaborativos en tiempo real, etc.)
* Programas que se utilizan comúnmente para dar soporte en línea
* Redes sociales
* Sistemas operativos comunes

=== Materiales útiles ===
Para la sesión de análisis participativa: Lápiz de cera, rollos de papel [https://es.wikipedia.org/wiki/Papel_de_estraza kraft], plumones, marcadores para pizarrón, hojas tamaño carta, estambre o hilo grueso de colores. Etiquetas redondas de colores (verde, amarillo, rojo, azul), tijeras (si se viajará en avión hay que recordar ponerlas en el equipaje que no va en cabina o las perderán).

Para los diagnósticos de las computadoras: [[File:08_ManualSD_TR.png|200px]]

* Al menos dos memorias usb totalmente limpias. Si se han usado con anterioridad hay que asegurarse de no solo de borrar los datos, sino de reescribir sobre ellos antes de usarlas.
* Versiones en vivo<ref>Un sistema operativo en ''vivo'' (o ''Live'' en inglés), es un sistema que puede iniciarse sin necesidad de ser instalado en el disco duro de la computadora, comúnmente a partir de un disco o un dispositivo de almacenamiento externo (USB) o por medio de la red, usando imágenes para netboot. Los sistemas ''Live'' no alteran el sistema operativo local o sus archivos, en algunos casos puede seguirse un procedimiento para que sean instalados en el disco duro de la computadora.
</ref> de antivirus (por ejemplo: ESET SysRescue y AVIRA).
* Versión en vivo de un sistema operativo GNU-Linux.

Para el segundo día debes asegurar que puedes imprimir el reporte preliminar.

=== Planificación y comunicación de la agenda ===
Descartando el tiempo dedicado a los preparativos, la fase de análisis y redacción del informe final; la metodología de diagnóstico que proponemos requiere dos días seguidos de trabajo ''in situ''. Idealmente son 16 horas en las oficinas de la organización pero el equipo de facilitación debe estar preparado para destinar un poco más de tiempo durante esos días.

Tal vez una pregunta que salta es por qué dos días. Es el tiempo promedio máximo que, en nuestra experiencia, una organización puede inicialmente comprometerse para dedicar al proceso.

Dependiendo de cómo esté estructurada la organización, para el diagnóstico es crucial que participe al menos un miembro de cada área/equipo de trabajo. Esto debe quedar bien claro en la comunicación con la organización, ya que es frecuente que sólo se cite al personal que da mantenimiento a las computadoras y/o directivos. La intención de convocar al menos a una persona de cada área/equipo es tener una muestra lo más real posible de cómo cotidianamente se trabaja.

La forma en la que recomendamos que se reparta la agenda dentro de los horarios de oficina es:

'''Primer día'''

* Sesión matutina conjunta para un análisis de riesgos, guiada por dos personas del equipo de facilitación (aproximadamente 4 horas), una tercera persona se ocupará de iniciar el diagnóstico de los equipos de cómputo (estimamos que se invierten 20 minutos aproximadamente por equipo. En las siguientes secciones daremos más detalles).
* Sesión vespertina para evaluar computadoras (4-6 horas ).

Para la noche del primer día, es necesario que el equipo de facilitación se reúna para hacer una valuación de la sesión matutina y un primer análisis de hallazgos, confirmar agenda y prioridades para el siguiente día.

'''Segundo día'''

* Sesión matutina para concluir la revisión de los equipos de cómputo (4 horas aproximadamente).
* Redacción del reporte preliminar (2 horas).
* Sesión vespertina para presentar el reporte preliminar y la retroalimentación del mismo (2 horas ).

Los detalles sobre cada actividad se presentarán en las siguientes secciones.

[[File:09_ManualSD_TR.png|left|300px|Agenda]] Es muy importante comunicar de forma clara todas las actividades a desarrollar, tiempo esperado y personal de la organización que es requerido para las sesiones conjuntas, así como las necesidades y tiempos para el diagnóstico de los equipos de cómputo.

=== Planificación del viaje ===
[[File:10_ManualSD_TR.png|left|400px|Viaje]]La planificación del viaje se debe hacer contemplando presupuesto, evaluación de seguridad, condiciones para un buen descanso (tal vez toca dormir poco pero hay que poder dormir bien) y condiciones adecuadas para trabajo nocturno.

Sobrepasa los objetivos del presente manual hacer una descripción detallada sobre los cuatro aspectos; sin embargo, hay algunos recursos en línea que pueden ser de utilidad para orientarse (hemos puesto algunos en la sección de Referencias útiles).

Es necesario asegurar que toda la logística es correcta, como la dirección del lugar donde se llevará a cabo el diagnóstico, tener un número y persona de contacto, prever el tiempo y medio de transporte local y coordinar la entrada y salida de las oficinas, para estimar el tiempo que requerirá evaluar los equipos de cómputo y el ambiente físico.

== Cuidado colectivo ==
[[File:12_ManualSD_TR.png|left|600px|juntxs]]Una buena atmósfera de trabajo parte de la generación de espacios seguros, en los que existe un ambiente positivo de trabajo, se cuida de maximizar los niveles de energía y dedicación, tanto de las personas participantes como del equipo de facilitación.

Algunos preparativos que puedes considerar para el cuidado colectivo son:

1. Incluir como parte del servicio de café, fruta de temporada y agua.[[File:11_ManualSD_TR.png|200px]]

2. Es muy útil llevar semillas o alimentos que proveen energía para que el equipo de facilitación pueda consumir en momentos breves.

3. Es importante estar atentos de los/as participantes y de los/as integrantes del equipo de facilitación para poder detenerse a descansar en algunos momentos, aunque no estén en la agenda, o sugerir alguna dinámica energizante.

=== Equipo de facilitación ===

En nuestra experiencia, el equipo ideal está compuesto por tres personas por cada 8-12 participantes. Lo que se busca es contar con personas que cubran los siguientes aspectos:

* Conocimiento en el análisis de las computadoras y herramientas de seguridad digital.
* Conocimiento en técnicas pedagógicas.
* Capacidad de investigación.
* Trabajo en el tema de cuidados o acompañamiento psicológico a comunidades con estrés.

Es común que no se pueda contar con el equipo ideal. En su defecto, hay que tratar de apoyarse en recursos sobre el tema y que por cada facilitador no haya más de diez personas.

Si el equipo está compuesto por biohombres y biomujeres, es importante ser consciente que la tendencia en el trabajo con organizaciones es dar mayor peso a la palabra masculina en los aspectos técnicos o tal vez también pueden existir otras características dentro del equipo de facilitación que despierten asimetrías. Por lo tanto, es primordial tomar conciencia de los privilegios sociales que se le pueden atribuir a los diferentes miembros del equipo y tratar de mitigar prácticas jerarquizantes.

== Día 1 ==

[[File:13_ManualSD_TR.png|left|250px|Día 1]]

El trabajo ''in situ'' para el primer día se divide en dos partes: el trabajo colectivo y el inicio de la revisión de los equipos de cómputo y del ambiente físico.

=== Trabajo colectivo===
[[File:07_ManualSD_TR.png|600px]]

Es necesario llegar con anticipación para preparar el espacio de trabajo. Antes de iniciar la sesión:

* Colocar las sillas y las mesas en forma de medio círculo.
* Poner lápices de cera de colores y/o plumones y hojas en el centro de la mesa.
* Recortar y pegar tres columnas de papel kraft o [https://es.wikipedia.org/wiki/Papel_de_estraza estraza] sobre una pared visible para todos/as; estos deben ser tan largos como el equipo de facilitación alcance a escribir sobre de ellos.
* Recortar y pegar otra columna de papel kraft separada para el glosario.
* Pedir las contraseñas de internet por si es necesario investigar algo en el momento.

====Presentación====
Tiempo estimado: 10 minutos

La sesión inicia con una breve dinámica de presentación del equipo de facilitación y de los/as asistentes. En este punto se provee información sobre el equipo de facilitación así como de lo que se espera del diagnóstico. Se puede aprovechar para enfatizar que en el diagnóstico no hay respuestas buenas o respuestas malas, sino que hay lo que se hace, así, sin calificativos. Es primordial ser muy sensible para detectar si existe algún tipo de resistencia o temor por parte de algún participante, para verbalizarlo y hacer notar que el diagnóstico no es una evaluación hacia las personas, sino que busca conocer qué se hace y con qué se hace para sugerir un plan apropiado de seguridad digital. También hay que destacar que el equipo de facilitación sólo pretende ayudar a ir generando el diagnóstico pero que se parte del conocimiento que los/las participantes tienen, por lo que es indispensable su participación.

También como parte de la presentación es importante hacer acuerdos de formas de trabajo. En educación popular usamos:

* Forma es fondo
* La memoria es más extensa que la inteligencia.
* La memoria colectiva es más extensa que la memoria individual
* La letra con juego entra
* Nadie aprende en cabeza ajena
* Entre todos/as sabemos todo
* Nadie libera a nadie, nadie se libera solo. Nadie educa a nadie y nadie se educa solo
* Evitar negar a el/la compañero/a.
* Sumar la idea de el/la otro/a.
* Escucha activa
* Evitar calificativos
* Evitar monopolizar la palabra
* Para hacer más fructífera la discusión, ir sumando,no redundando en lo dicho
* No imponer ideas

====Actividad: Dibujar mi día al lado de la tecnología====
Tiempo estimado: 45 minutos

Objetivo: Conocer dispositivos, programas, aplicaciones que se usan y para qué se usan. Este ejercicio permite también conocer si los mismos dispositivos son usados para trabajo o actividades personales.

Descripción: Se pide a los/las asistentes que dibujen su día al lado de las tecnologías que ocupan (no sólo las de trabajo sino las que usan cotidianamente; por ejemplo, aplicaciones biométricas o de esparcimiento, como las de citas o sitios de taxi). Hay que mencionar que con esta actividad se busca una narrativa, así que para las personas que no se sienten tan cómodas dibujando, pueden escribir un texto.

Sugerencia: Antes de iniciar las presentaciones de los dibujos, podría ser útil dividir la primera columna del papel kraft en cuatro secciones: “Celular”, “Computadora”, “Celular+Computadora” y “Otros dispositivos”, para apuntar los usos de la tecnología bajo el tipo de dispositivo que más le corresponde.

Posteriormente, cada participante describe su dibujo. Mientras lo hace, un miembro del equipo de facilitación va apuntando en la primera columna de papel kraft los "Usos de la tecnología" que debe reflejar el dispositivo/aplicación y su uso, por ejemplo:

* Yo uso la alarma de mi celular para despertarme por la mañana.
* Uso mi computadora para escuchar música en Spotify.
* Utilizo una aplicación en mi celular para cuantificar mi pasos diarios.
* Uso Whatsapp en mi celular para compartir audios con mis colegas.
* Uso Dropbox para respaldar documentos de mi computadora.

Dependiendo de la cantidad de asistentes, no es necesario que todos/as expongan su dibujo; en todo caso, se puede pedir a algunos/as que lo hagan y después que el resto complemente si tiene algún uso que no se ha mencionado.

También cuando se sabe que hay aplicaciones que sirven tanto en el celular como en una computadora o tableta, hay que indagar si se usa sólo en un dispositivo o en todos.

Al final del ejercicio, tendremos una lista de usos de la tecnología.

====Actividad: ¿Qué información se produce?====
Tiempo estimado: 45 minutos

Objetivo: Detallar para cada uso de la tecnología, la información que se produce.
Descripción: Indicar para cada uso de la tecnología la información que se produce. Aunque parezca obvio, es necesario explicar a qué información se refiere. Por ejemplo, en el caso de una fotografía, la información que se produce no es en sí mismo el archivo digital que lo contiene, que puede ser un archivo .jpg o .png, sino lo que está en la foto; por ejemplo, qué es lo que fue tomado (un paisaje o personas), en qué momento, en qué lugar, etc. En el caso de una aplicación para taxis, la información que se produce va desde origen y destino, hasta frecuencia o forma de pago. Esta es una buena oportunidad para introducir el término '''Metadatos''' e incluirlo en el glosario. En este ejercicio es muy importante que se llegue al mayor detalle posible. La actividad se desarrolla completando la segunda columna de papel kraft con la información que se produce según el uso de la tecnología que se haya mencionado.

Al final del ejercicio, tendremos la lista de la información que generan la organización y sus integrantes.

====Actividad: Lluvia de actores====
Tiempo estimado: 30 minutos

Objetivo: Generar una extensa lista de actores que podrían tener un interés personal, político y/o económico de la información que la organización y su equipo de trabajo producen.

Descripción: La actividad consiste en discutir qué actores podrían estar interesados en cada información que se ha colocado en la lista. En esta actividad se tienen que verter todos los actores hipotéticos, sin descartar alguno, ya que en las siguientes actividades se podrán evaluar la motivación y recursos para quedarse con una lista más acotada.

Cabe explicar que la invitación es pensar en actores internacionales, nacionales, locales, políticos, grupos religiosos, periodistas, incluso en quienes pudieran tener algún tipo de interés personal, como particulares que tengan alguna inconformidad con el personal o la organización.

Durante la actividad se conecta a cada actor con la información que le podría interesar, usando plumones de colores por actor o usando estambre o hilo grueso para cada conexión. El equipo de facilitación, sin imponer puntos de vista, puede aportar información resultante de la investigación de contexto.

Tendremos una lista de actores relacionados con la información que produce la organización al finalizar el ejercicio.

====Actividad: Acotando actores====
Tiempo estimado: 40 minutos

Objetivo: Determinar actores que, además de tener motivación, podrían contar con los recursos necesarios para tratar de obtener información de la organización sin su consentimiento.

Descripción: Durante la actividad se discute sobre los actores mencionados: si cuentan con recursos o si se conoce que han implementando prácticas de vigilancia y/o espionaje. Se consideran recursos, no solo económicos, para poder llevar a cabo una acción: tener conocimientos, personas que pudieran ayudarles, relaciones con personas poderosas.

El equipo de facilitación debe aportar elementos sobre los diferentes tipos de recursos que se necesitan para intentar obtener información de la organización; por ejemplo: el robo de los equipos de cómputo, colocación de antenas falsas de celular, envío de malware (recordar que todos los términos nuevos se deben poner en el glosario, invitando a los participantes a escribir también).

El equipo de facilitación puede proveer de contexto sobre el marco legal y antecedentes de la vigilancia, para señalar cuáles actores están legalmente facultados para llevar a cabo la vigilancia; capacidad política o social/económica de influir sobre políticos y accesibilidad de la tecnología de vigilancia (capacidad técnica y económica).

Hay que recordar que este ejercicio tiene que ver con la percepción de cada participante, por lo que no es indispensable llegar a consensos, aunque es útil, y se puede dejar una anotación sobre las diferentes opiniones.

Con el ejercicio concluido, tendremos una lista acotada de actores que tienen capacidad de vigilancia, con interés en el trabajo de la organización.

====Actividad: El semáforo de la información====
Tiempo estimado: 40 minutos

Objetivo: Determinar qué información se considera sensible.

Descripción: Sobre la lista de información que la organización produce, para cada dato que pueda ser de interés para algún actor que se encuentra en la lista final de la actividad '''5''', se pregunta: ¿Qué harían los actores si obtienen la información? ¿Qué tan grave sería esto para la organización (sus campañas, la seguridad de sus contrapartes, la seguridad de las víctimas que acompaña, la seguridad de los integrantes de la organización, la reputación de la organización, su seguridad económica, etc.)? Si las consecuencias serían graves, poner un punto rojo. Si son consecuencias que llevan un costo importante para la organización pero son superables, un punto amarillo. Si es preferible que no ocurra pero el impacto sería mínimo o nulo, un punto verde.

Sugerencia: Insistir con los/las participantes que antes de elegir el color de semáforo justifiquen bien la elección. Por ejemplo, describiendo una situación hipotética y realista de la posible consecuencia o citando un caso parecido que haya sucedido, explicando cuál sería el impacto para la organización. Requiriendo una explicación de la propuesta de color de semáforo se fomentan la discusión y el debate entre los participantes, ayuda a que los resultados finales del diagnóstico estén realmente consensuados.

Al concluir la actividad, tendremos una lista de la información que se tiene que proteger de la vigilancia: todos los datos que tienen puntos rojos o amarillos.

====Actividad: Puertas y candados para la información====
Tiempo estimado: 15 minutos

[[File:16_ManualSD_TR.png|400px]]

Objetivo: Describir los mecanismos de protección que existen sobre la información sensible de la organización.

Descripción: Para toda la información que tiene que protegerse de la vigilancia, teniendo a la lista de “usos de tecnología” como referencia, preguntar dónde se encuentra esta información y cuáles medidas se han tomado hasta ahora para resguardarla y/o limitar el acceso de terceros a ella (llave, cifrado, contraseña, ubicación, temporalidad, nada, '''respaldos''', etc.). Apuntar las respuestas.

En esta actividad es necesario tratar de recuperar los saberes intuitivos que los miembros de la organización usan. Algunos no tendrán base alguna y puede ser un momento adecuado para eliminar falsos supuestos, pero en otros es posible sorprendernos con las estrategias que la gente desarrolla.

Al terminar el ejercicio, tendremos una lista de los usos de la tecnología por parte de la organización y sus integrantes, los cuales requieren la incorporación de mejores prácticas y herramientas de seguridad digital.

====Comentarios de cierre del trabajo colectivo====
Tiempo estimado: 15 minutos

Para poder concluir la sesión grupal se pregunta a los/as asistentes si en su percepción han tenido incidentes de seguridad en general y digital, en particular. Después, si se siente ansiedad o malestar en el grupo, hay que tratar de generar un diálogo sobre la importancia del diagnóstico como primer paso, proceso que nunca será perfecto sino que estará en transformación constante pero que será útil. Se puede recurrir a alguna dinámica corporal que ayude con el estrés.

[[File:22_ManualSD_TR.png|600px]]

Para cerrar, se explica que el siguiente paso es la revisión del ambiente físico y de los equipos de cómputo, enfatizando que no se trata de un análisis forense y que tampoco será el momento de instalar programas o arreglar problemas que se presentan, sino una mirada '''a vuelo de pájaro''' de estructura de la información que se guarda, programas, estado de antivirus. Hay que reforzar que no será un análisis que violente la privacidad, puesto que para algunas personas mostrar sus equipos de cómputo puede ser como mostrar el clóset de su habitación o el cajón que está al lado de la cama. También se aprovecha para recordar la importancia de contar con la total asistencia de quienes participarán en la sesión de retroalimentación de los hallazgos preliminares.

[[File:23_ManualSD_TR.png|left|450px|Celulares]]
Probablemente, un análisis más exhaustivo incluiría la revisión de móviles pero, a partir del análisis de las computadoras y de la actividad sobre usos de la tecnología, se pueden inferir muchas de las vulnerabilidades. Lo que se busca es no exponer a las personas en su intimidad. Concluyendo la sesión hay que recordar que la información deberá guardarse en un lugar seguro.

''Nota: Dependiendo del tiempo, se recomienda tomar uno o dos descansos.''

=== Análisis del ambiente físico y de los equipos de cómputo ===
[[File:17_ManualSD_TR.png|right|350px|Ambiente]]La seguridad digital depende también de las condiciones ambientales en las que se usan los dispositivos. Por tanto, es pertinente realizar una evaluación sistemática de algunos aspectos específicos de las instalaciones de trabajo, incluyendo:

a) La facilidad para acceder a la oficina: cuántas puertas y ventanas tiene y si están bien protegidas, si es fácil acceder desde alguna construcción vecina, etc.

b) Si la oficina cuenta con portero y si se cumple el protocolo acordado con él para el ingreso.

c) La existencia de alarmas y cámaras de seguridad. En caso de contar con cámaras, hay que asegurarse que funcionan y si graban. En ese caso, preguntar la existencia de protocolos para revisar los videos. También si tienen una pila para la alarma, en caso de un corte de energía eléctrica.

d) Si en la oficina hay espacios que se cierran bajo llave, conocer quiénes tienen las llaves y acceso a qué espacio. Si hay archiveros, también saber quiénes.

e) Otro aspecto a evaluar es si se recibe a gente externa a la organización en una sala en particular, y si los/as visitantes podrían desde ahí dirigirse fácilmente a otra área dentro de la oficina (se busca saber si es posible robar equipos o dejar un dispositivo tipo keylogger).

f) Estado de la construcción, especialmente si hay humedad, y si las conexiones eléctricas están en buen estado. También verificar si hay sobrecarga de dispositivos en una misma conexión y si se usan reguladores.

Como parte de esta revisión general hay que observar si las computadoras están conectadas usando una red inalámbrica o por ethernet, la configuración de la red, la fortaleza de la contraseña de la red inalámbrica, si el módem ha cambiado su configuración de origen y la compañía que ofrece el servicio.

Para la revisión de los equipos de cómputo hay que recordar que no se trata de un análisis forense y la profundidad con la que se realice depende de los conocimientos técnicos del equipo de facilitadores y el tiempo. En caso de sospechar la presencia de '''malware''', si se quiere documentar para tomar acciones legales, es mejor no trabajar sobre el equipo y generar una copia. Por sí mismo, esto es un trabajo independiente, pero si se requiere se puede iniciar con un sistema en vivo GNU-Linux (el comando ''dd'' puede ser una opción).

Considerando el tiempo promedio que requiere el análisis de las computadoras, recomendamos intentar hacer al menos 10 equipos que correspondan a las diferentes áreas de trabajo, ya que lo que se pretende es tener una muestra lo más completa posible.

El análisis de las computadoras se concentra en tres puntos: a) vulnerabilidades en los equipos por ausencia de antivirus, desactivación de firewall o falta de actualizaciones de seguridad; b) instalación y uso de programas que tienen vulnerabilidades, malware, adware u otro tipo de software malicioso; c) exposición por uso del navegador de internet.

Para poder evaluar los puntos anteriores, en el caso del sistema operativo Windows, desde la terminal cmd se pueden usar los siguientes comandos: systeminfo, tasklist y wmic. Después se va al visor de eventos y se guardan los logs de eventos de seguridad, de hardware, aplicación, administrativos, instalación y sistema para una revisión rápida.

En OS X puedes usar Información del sistema y la consola para mirar los logs. En GNU-Linux hay una variedad amplia de comandos para listar programas y ver los logs.

Se revisa el estado de firewall.

Se detecta si se tiene antivirus, versión de la base de datos y logs. Si no se tiene antivirus o está desactivado se debe considerar usar una de las versiones en vivo.

Se revisa que navegador/es se usan, guardado del historial, guardado de contraseñas y plugins instalados.

'''Sugerencia''': dependiendo de las habilidades del equipo de facilitación, se puede generar un ''script'' para automatizar la revisión del firewall y de los logs.

'''Sugerencia''': Al revisar los logs también es posible automatizarlos mediante un ''script'', es importante poner atención en las direcciones IP recurrentes.

'''Sugerencia''': Puedes hacer un mapeo completo de la red para verificar equipos conectados y usuarios. Para la Wifi puedes verificar tipo de cifrado, vpn y/o vlan.

== Evaluación del día y revisión de archivos ==
[[File:18_ManualSD_TR.png|right|400px|Análisis]]
Para lograr concluir el trabajo en tiempo, el tener una breve reunión de evaluación en la que se puedan intercambiar observaciones, posibilidades para el segundo día, preocupaciones, aspectos positivos del trabajo y cómo se siente el equipo de facilitación, hará más eficiente el tiempo restante.

A partir de la reunión general y los primeros resultados de los equipos de cómputo, se puede iniciar ya la sistematización para la redacción del informe preliminar. En el anexo 1 podrás encontrar una propuesta de formato. El objetivo en general es organizar la información, considerando los riesgos encontrados y, a partir de ello, proponer una ruta de fortalecimiento en seguridad digital para la organización.

El informe debe considerar:

* Hallazgos de la evaluación del ambiente físico.
* Análisis de amenazas a la información:
a) Riesgo: Pérdida de información por fallo de hardware, robo o pérdida de hardware, o error humano

b) Riesgo: Pérdida de información por ataque de malware y

c) Riesgo: Vigilancia o robo de datos.

* Recomendaciones.

Para este momento se tendrá además mucha información que revisar y procesar. Sobre los archivos que se tienen de los equipos, hay que evaluar programas instalados y, si hay algunos que son poco comunes, investigar sobre ellos. '''En otros casos se conocen más las vulnerabilidades''', por ejemplo: en programas para comunicación por voz si usan o no cifrado en tránsito. Para los logs, lo que se necesita es una vista '''a vuelo de pájaro''', entonces se tiene que relacionar la información con lo que la gente ha manifestado que hace o detectar si se reportó algún incidente extraño. Por ejemplo, si el trabajo en la oficina es siempre matutino, será anormal encontrar que hay un reporte de inicio del sistema por la noche. También hay que familiarizarse con los procesos que comúnmente se ejecutan en los diferentes sistemas operativos para observar si hay procesos inusuales.

La profundidad con la que se logre la revisión de eventos del sistema y lista de tareas, depende mucho de los conocimientos y la experiencia que tiene el equipo de facilitación. Para introducirse en el tema es útil investigar aspectos como los programas comunes de inicio de los sistemas operativos y los códigos de errores. La idea muchas veces no es encontrar un error sino buscar patrones y anomalías.

== Día 2 ==
[[File:13_ManualSD_TR.png|left|200px|sol]] La jornada del segundo día consiste en tres etapas: 1) Primera conclusión de la revisión de los equipos de cómputo; 2) la redacción del informe preliminar; y 3) la discusión del mismo con la organización.

=== Conclusión del análisis de equipos de cómputo y redacción del informe preliminar ===

Lo deseable es ocupar entre tres y cuatro horas para terminar con la revisión de los equipos para dejar suficiente tiempo para concluir el informe preliminar (aproximadamente dos horas) y reservar unos minutos para la impresión.

En la redacción del informe hay que tener cuidado con proveer una argumentación sólida que justifique las recomendaciones. Si bien el objetivo no es redactar una explicación extensa sobre cada vulnerabilidad encontrada, en algunos casos ayudará para apropiarse de la propuesta, entender el por qué algo es considerado un riesgo. El informe debe poder hilar aspectos de contexto social, político y económico con aspectos más técnicos. También, sin minimizar los riesgos, se debe ser responsable con la forma en la que se plantean las vulnerabilidades.

Las recomendaciones deben asumir las condiciones reales de cada organización. A veces la mejor opción es la que, en efecto, se podrá implementar; de nada sirve proponer cambiar de equipos o poner un servidor interno si no hay condiciones. Sin embargo, es posible sugerir recomendaciones a largo plazo. Las propuestas deben ser claras respecto a los requerimientos para ser implementadas, incluyendo los tiempos. En nuestra experiencia, es importante poder comprometer a la organización en acciones a corto plazo que alienten su interés y visibilicen que es posible tomar algunas acciones. De tal forma, la seguridad como un paso a la vez, se fortalece con prácticas más autónomas.

En el Anexo I se encontrará se sugiere una plantilla para que facilitar el proceso de redacción del reporte preliminar.

===Presentación del informe preliminar ===
[[File:20_ManualSD_TR.png|600px]]

El tiempo estimado para esta actividad es de dos horas. Se inicia explicando que el informe es una primera versión que tiene como objetivo compartir con la organización los hallazgos y las recomendaciones, que es un momento valioso para hacer cambios por si se ha entendido mal alguna cosa o si hay información que no quedó incluida, y que se alcance un acuerdo interno con el equipo de facilitación respecto a las recomendaciones finales.

Se dan unos minutos para que cada participante lea el informe y, posteriormente, se hace una lectura colectiva, dando la oportunidad para la retroalimentación.

En la sección de recomendaciones es fundamental que quede claro lo que se propone, tiempos, y las razones por las cuales se hace cada recomendación.

Finalmente, se crea un acuerdo sobre el medio oportuno para hacer la entrega del informe final y la confidencialidad de la información, acordar como se destruye el papel kraft usado y si es necesario destruir también las copias del informe preliminar. Si aún queda algo de tiempo se puede pedir una breve evaluación de los/as participantes sobre la experiencia del diagnóstico en el ánimo de hacerlo cada vez mejor.

En el caso de que el equipo facilitador tenga que conservar algunos archivos del análisis de computadoras para un análisis más profundo, debe considerar la vía más segura para transportarlos, guardarlos y borrarlos posteriormente.

== Diagnóstico final ==
[[File:19_ManualSD_TR.png|left|300px|Informe]] La versión final del informe del diagnóstico debe incluir todos los cambios sugeridos en la reunión de retroalimentación. Su elaboración es una oportunidad para añadir una argumentación más detallada sobre vulnerabilidades, empresas, condiciones económicas y/o políticas. Inevitablemente implicaría investigación adicional para poder llenar huecos de información que no se pudieron resolver durante la actividad de análisis de amenazas, y para contar con la información más actualizada sobre las herramientas cuyas ventajas y desventajas se evaluaron. La investigación es fundamental para maximizar la pertinencia de las recomendaciones y la claridad de su justificación.

[[File:21_ManualSD_TR.png|right|300px|Envio]]El último paso en el diagnóstico es hacer llegar el reporte final a la organización. Es importante que se envíe por un medio seguro, ya que el reporte puede contener información altamente sensible sobre la organización, y también para establecer un buen antecedente al manejar cuidadosamente el transporte de información sensible.

== Recursos útiles ==

Sin duda, mantenerse actualizado sobre las herramientas y tener acceso a información que nos ayude en los proceso formativos de seguridad digital, es complicado. A continuación, listamos algunos recursos útiles, pero hay que recordar que los cambios en el tema se están dando en tiempos muy cortos, por lo que hay que buscar actualizarse y, si se tiene la oportunidad, compartir los recursos que se encuentren con la comunidad.

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual/es Manual Zen]
* [https://securityinabox.org/es/ Seguridad en una caja]
* [https://ssd.eff.org/es Autoprotección Digital Contra La Vigilancia: Consejos, Herramientas y Guías Para Tener Comunicaciones Más Seguras]
* Documentos de [https://karisma.org.co/biblioteca/ Fundación Karisma]
* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

En inglés:

* [https://holistic-security.tacticaltech.org Seguridad holística]
* [https://safetag.org/ SAFETAG]
* [https://level-up.cc/ Level-up]

==Agradecimientos ==
[[File:25_ManualSD_TR.png|300px]]

Agradecemos profundamente a Jacobo Nájera, Hedme Sierra Castro y William Vides por su revisión de la versión en español y a Alexandra Hache por la lectura de la primera versión de este documento. Agradecemos también a Mónica Ortiz por la corrección ortográfica y de estilo.

==Créditos ==
Esta guía fue escrita por [http://tecnicasrudas.org Técnicas Rudas] con el apoyo del "Institute for War
and Peace Reporting" [http://iwpr.net IWPR].

<gallery>
IWPR-LOGO.png|IWPR
LogoTR.png|Técnicas Rudas
</gallery>

Diseño: María Silva y Yutsil Mangas

==Anexo I==
[https://gendersec.tacticaltech.org/wiki/images/8/8c/Diagn%C3%B3sticoSeguridadDigital_InformePreliminar_Plantilla.odt Plantilla para el reporte final del Diagnóstico en Seguridad Digital]

==Versión en inglés==
[https://gendersec.tacticaltech.org/wiki/index.php/Digital_Security_Assessment_for_Human_Rights_Organizations:_A_guide_for_facilitators Versión al ingles]
==Referencias==

[[Category:How_To]]
[[Category:Resources]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-08T19:53:26Z

Anamhoo:

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|300px]] [[File:IWPR-LOGO.png|350px]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

==Spanish version==
[https://gendersec.tacticaltech.org/wiki/index.php/Diagn%C3%B3sticos_en_seguridad_digital_para_organizaciones_defensoras_de_derechos_humanos_y_del_territorio:_un_manual_para_facilitadores Spanish guide]

== References ==

[[Category:How_To]]

Diagnósticos en seguridad digital para organizaciones defensoras de derechos humanos y del territorio: un manual para facilitadores

2017-09-08T19:50:56Z

Anamhoo:

[[File:01_ManualSD_TR.png|600px]]
== Presentando el manual ==
[[File:24_ManualSD_TR.png|center|600px|Introducción]]

En la mitología griega, Dedalus era un creador de artefactos, sus obras mostraban constantemente el profundo conflicto entre la innovación y su uso como herramienta del poder o la ambición. Como si fuese uno más de los artefactos de Dedalus, entre los sueños utópicos y las pesadillas, la tecnología actual no ha logrado escapar de sus propias paradojas. En el sueño de Dedalus, la innovación tecnológica serviría para volar y escapar del encierro pero en ese impulso humano de quedar cegado ante lo luminoso y la posibilidad, Ícaro, su hijo, llevó al límite el sueño.

Actualmente, la tecnología sigue jugando este papel: en el sueño potencia nuestra libertad y bienestar, pero se juega siempre en el límite. En el caso de las tecnologías de la información y la comunicación (TIC), como en la mitología, éstas nos dan la posibilidad de buscar la libertad traspasando fronteras, combatiendo discursos dominantes de odio, dando espacios para lo diverso, el encontrarnos y reconocernos, el compartir. Sin embargo, atadas a sus propias vulnerabilidades, las TIC exponen a quienes las usamos a riesgos como la vigilancia, el espionaje e incluso la manipulación.

El trabajo de los y las defensoras de los derechos humanos y del territorio, sin duda, se ha beneficiado del desarrollo de nuevas tecnologías para actividades importantes como comunicarnos, generar campañas, compartir información, hacer análisis, documentar casos y guardar datos. Al mismo tiempo, el uso de la tecnología ha generado nuevas vulnerabilidades, evidenciadas por eventos documentados, entre ellos: la infección de computadoras por autoridades gubernamentales con programas para vigilar, compra de equipos para monitorear llamadas, robo de computadoras a organizaciones sociales, pérdida/robo del celular con información personal y de trabajo que después se expuso en redes sociales, espionaje sobre redes sociales e intrusión en cuentas de correo o facebook.

La información que comúnmente nos llega sobre la capacidad de vigilancia que podría tener el Estado, algún cartel e incluso particulares, usando la tecnología, puede exacerbar el miedo y fomentar la autocensura. Puede parecer que solo hay dos opciones extremas: o ''usa la tecnología sin protección porque no hay nada que puedas hacer'' o ''destruyamos la tecnología''. En la práctica, esta disyuntiva se reduce a la decisión de usarla o no.

Nosotras abogamos por una postura distinta, que no parte de la desesperación, ni de responder con violencia, sino con auto-determinación: si bien la tecnología no es ni el principio ni el final del problema, un uso consciente puede potenciar nuestras acciones, evitar o mitigar vulnerabilidades y ayudar al cuidado colectivo.

A partir de nuestra propia experiencia dentro de colectivos, trabajo con organizaciones muy diversas e investigación, creemos que es importante generar estrategias y sumar a los análisis de seguridad de las organizaciones lo que se conoce como seguridad digital; que implica analizar nuestro uso de la tecnología, entender nuestras vulnerabilidades, encontrar herramientas que nos sean oportunas y desarrollar capacidades internas para integrarla dentro de un esquema general de seguridad.

Desafortunadamente, las organizaciones y colectivos, debido a problemas como la falta de tiempo, recursos o conocimientos, pocas veces cuentan con la oportunidad de generar esta integración de la seguridad digital como un proceso. Esto resulta frecuentemente en que al final las medidas acordadas se abandonan con el tiempo.

Desde las comunidades técnicas que tienen un compromiso social, existe también una dificultad para contribuir en estos procesos, ya que en muchos casos, si bien los conocimientos sobre seguridad digital pueden ser sólidos, la falta de estrategias pedagógicas o de experiencia sobre las condiciones reales en las que se desarrolla el trabajo cotidiano de las organizaciones, se crea una barrera que impide la comunicación y la transferencia de conocimientos.

Para que un proceso de seguridad digital sea apropiado efectivamente por las organizaciones, es fundamental que el conocimiento no se integre desde las voces expertas, sino desde el compartir y recrear. El paso inicial de tal proceso es el diagnóstico participativo.

En este manual, las '''Técnicas Rudas''' presentamos una propuesta metodológica para implementar diagnósticos de seguridad digital para organizaciones que trabajan en la defensa de los derechos humanos y/o del territorio. Este manual está dirigido especialmente a talleristas, facilitadores y expertos en seguridad digital que trabajen con organizaciones sociales. Sin embargo, creemos que puede ser útil para guiar a una organización que decida iniciar el proceso por sí misma.

La propuesta se caracteriza porque tiene una postura tecnopolítica e introduce una mirada feminista. En consecuencia, se basa en la educación popular como herramienta pedagógica.

==¿Cómo usar esta guía?==
[[File:02_ManualSD_TR.png|center|600px|Cómo?]]

Está guía esta enfocada en la comunidad de entrenadores o facilitadores en seguridad digital, pero también puede ser útil para una organización que ha tomado la decisión de iniciar su proceso de seguridad digital por sí misma. La estructura y las actividades propuestas puede y debe adaptarse a las circunstancias y necesidades específicas de la organización. La guía también puede ser una referencia útil para los facilitadores cuando llevan a cabo el diagnóstico de una organización o grupo. La metodología también puede aplicarse a evaluaciones individuales con ajustes mínimos.

=== ¿Por qué es necesaria la mirada tecnopolítica? ===

De forma superficial, el debate sobre las vulnerabilidades limita las consecuencias en el ámbito de la privacidad individual, generando una respuesta particularizada que se reduce a frases como “no tengo nada que ocultar", que no logra integrar el alcance social que estas tienen. Mientras que los especialistas buscan soluciones reduccionistas, como el que una aplicación se encargue de '''parchar vulnerabilidades'''.

[[File:03_ManualSD_TR.png|left|400px|Tecnopolitica]]Sin embargo, un análisis más profundo sobre la tecnología, da cuenta de cómo en las diferentes fases de los procesos tecnológicos existe una visión política-económica. Así, al momento de ser construida, se hace evidente la necesidad de analizar de dónde se obtienen los minerales indispensables para sus componentes, las manos de quienes trabajaron para su producción, las condiciones laborales; en dónde es producida y cómo llega a los mercados, el cómo estas mercancías serán consumidas, cruzadas por el género y la clase. Y al final serán desechadas bajo un esquema territorial del planeta, impuesto desde un porcentaje pequeño de la población que acumula la riqueza.

Esta mirada profunda que identificamos como tecnopolítica, ha hecho evidente que existe un interés económico en la obtención de datos personales a partir del uso de medios digitales. Por ejemplo, se puede ver la investigación de [https://chupadados.codingrights.org/es/ Coding Rights].

También han sido expuestas evidencias de vigilancia local y global. Por ejemplo, al momento de escribir este manual, en México se han mostrado evidencias de espionaje a periodistas y organizaciones defensoras de derechos humanos usando el software ''Pegasus''<ref>https://r3d.mx/2017/06/19/gobierno-espia/</ref>.

Para la región, en 2015, filtraciones de correos de la empresa Hacking Team evidenciaron la enorme inversión que gobiernos latinoamericanos habían hecho en hardware y software para la vigilancia<ref>https://www.derechosdigitales.org/wp-content/uploads/malware-para-la-vigilancia.pdf </ref>.

Sobre vigilancia masiva, el caso más conocido fue el de las [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 filtraciones] hechas por Edward Snowden en 2013, que mostraron un elaborado aparato de vigilancia global operada por la NSA (National Security Agency por sus siglas en inglés) de Estados Unidos <ref> https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29</ref>.

Considerando las condiciones sociales es importante alertar a quienes defienden los derechos humanos y el territorio que usan las TIC para sus comunicaciones, incluso como parte de sus estrategias de lucha, sobre sus vulnerabilidades.

La seguridad digital requiere una mirada tecnopolítica porque solo podrá responder certeramente a los retos actuales siendo sensible a las condiciones reales en las que las personas las usamos.

En la práctica, estas consideraciones se traducen en optar por software libre (ya que es transparente en su código y da la posibilidad de enriquecerlo), evitar contribuir en el desecho de tecnología o caer en el juego de la obsolescencia programada y tener prácticas pedagógicas que consideren aspectos sociales.

=== Las miradas feministas ===
[[File:04_ManualSD_TR.png|600px]]

Partimos de que no existe un feminismo, existen múltiples feminismos. Entre ellos, está el Transhackfeminismo que, si bien no cuenta con una definición clara (y probablemente no pretenda nunca una definición estática), rescata cuatro aspectos básicos:

a) El prefijo trans que hace referencia a la transformación, transgresión, transitoriedad; es el cambio y el saltar fronteras.

b) Hack, que en sus orígenes tiene que ver con trabajo mecánico que se repite. Es esa gota de agua que de tanto caer traspasa todo, es la esencia de Marie Curie procesando una tonelada de *Pechblenda* para obtener un gramo del material que le permitió descubrir el radio.

c) El feminismo como estas múltiples formas que han dado cuenta de cómo este sistema que sobrepone el capital a lo humano y ha basado su crecimiento en la explotación del cuerpo de la mujer, invisibiliza trabajos esenciales para la reproducción de la vida humana, discrimina y crea fracturas en las comunidades.

d) Desde la América Latina, '''la gran Abya Yala''', sumamos los feminismos comunitarios que introducen un ecofeminismo ligado a la tierra y descoloniza la mirada.

Desde el transhackfeminismo es posible ubicar la asimetría que hay para acceder al conocimiento y generar estrategias. Pone en el centro la comunalidad como nuestra base; cuestiona y desactiva las prácticas de poder al compartir conocimiento.

== La educación popular ==
[[File:05_ManualSD_TR.png|500px]]

Existen una gran variedad de prácticas pedagógicas en manuales de seguridad digital, en algunos casos sólo son recomendaciones sobre dinámicas, útiles, por ejemplo, para despertar a los participantes cuando están cansados, algunas otras van más lejos y emplean técnicas de educación para adultos. Nosotras decidimos trabajar a partir de la educación popular <ref>Sobrepasa los alcances de este manual detallar aspectos de la educación popular y existe numerosa bibliografía al respecto. Se puede iniciar revisando la obra de Paulo Freire (Por ejemplo: https://es.wikipedia.org/wiki/Paulo_Freire)</ref> , porque compartimos que:

a) Educar es un acto político en el que existen relaciones de poder y hay que romper con esos esquemas.

b) Creemos que la teoría y la práctica están dialécticamente relacionadas.

c) Como lo dice la etimología de la palabra: la conciencia proviene del conocimiento aprendido con otros/as.

d) Asumimos que ''el mundo no es, el mundo está siendo'' (Paulo Freire).

== Preparativos ==
[[File:06_ManualSD_TR.png|600px]]

Considerando que el diagnóstico contempla tanto actividades ''in situ'' como trabajo de gabinete, para tener una facilitación eficiente y segura es vital estar preparado. Lo que significa:

1. Entender el contexto tecnopolítico en el que se desenvuelve la organización.

2. Proveer a la organización de una explicación precisa de cómo se llevará a cabo el diagnóstico, su propósito y las expectativas sobre los miembros de la organización que participen.

3. Estar seguro que se cuenta con todos los insumos materiales necesarios.

A continuación damos una serie de ideas de cómo prepararse, pero es importante que cada paso sea asimilado en su esencia y tratar de adaptar de forma creativa las situaciones particulares.

== Investigación ==
[[File:26_ManualSD_TR.png|500px]]

a) Conociendo a la organización.

Tal vez la invitación a colaborar llegó por la conexión de una persona cercana y por transferencia de confianza se tienen premisas tácitas. Sin embargo, tanto para evaluar el riesgo para el equipo de facilitación como para el proceso de diagnóstico, es necesario ampliar lo más posible este conocimiento, investigar quiénes son y lo que trabajan.

Hay que tomar en cuenta que la idea no es hacer un análisis invasivo, convertirse en [https://en.wikipedia.org/wiki/Stalking stalkers] <ref>El término popularmente se refiere a una actitud obsesiva que se refleja en la búsqueda de información pero que puede llegar más lejos.</ref> o exponer a las organizaciones en su vulnerabilidad, porque esto podría crear desconfianza, incomodar a la organización o poner a los/las participantes a la defensiva. Es necesario ser sensibles y tener claridad en el límite de la búsqueda de información pública. De ser necesario, durante el trabajo *in situ* se pueden aportar mecanismos sobre cómo hilar entre los diferentes tipos de información pública que existen y la información que, sin estar totalmente pública, las empresas que se utilizan para servicios como correo electrónico o redes sociales, pueden tener y combinar para diferentes tipos de análisis.

Consideramos información pública necesaria para esta primera aproximación toda la que esté disponible en prensa, comunicados políticos, la que se encuentre en redes sociales, la que esté disponible en su sitio web (incluyendo información sobre el servidor en el que se aloja, el representante legal y técnico que se asocien al dominio y sus direcciones oficiales, la cual se obtiene fácilmente a partir de páginas como https://whois.net/default.aspx) y, si es posible, quien provee el servicio de correo electrónico.

A partir de esta información, se trata de contestar preguntas como: ¿Qué temas se abordan? ¿Quiénes podrían estar interesados en oponerse a este trabajo o a quiénes afecta este trabajo? ¿Qué tan públicas son las personas que trabajan en la organización? ¿Con qué otras personas o instituciones se les puede asociar? ¿En qué país se encuentra el servidor de su sitio web? ¿Cuál es la información personal identificable (IPI<ref>IPI Información Personal Identificable se refiere a toda aquella información sobre un individuo que es administrada por un tercero (por ejemplo: gobiernos o empresas), incluyendo todos aquellos datos que pueden ser distintivos del individuo o a partir de los cuales es posible rastrear su identidad y toda la información asociada o asociable al individuo (por ejemplo: el número de su pasaporte, su dirección física, la placa de matriculación de su coche, etc).</ref>) del personal dentro de todos los datos que se han encontrado? ¿Es posible ubicar geográficamente las instalaciones de la organización? ¿Se pueden conseguir teléfonos de las oficinas o sitios de trabajo y teléfonos personales? ¿Han tenido incidentes de seguridad o amenazas reportadas públicamente?

b) Análisis del contexto tecnopolítico regional, nacional y local.

Esto incluye conocer y relacionar las temáticas que trabaja la organización y las posturas que habría sobre las mismas a nivel gubernamental nacional, estatal y local. Es importante buscar si se han reportado indicios de compra de equipos o asociación con empresas dedicadas al espionaje o la vigilancia y si ha sido una práctica gubernamental documentada la represión o la vigilancia. También se puede buscar la trayectoria de gente que participe del gobierno local/estatal/nacional.

Asimismo, es relevante investigar marcos normativos que permiten la vigilancia, entender bajo qué causales se permiten y qué instituciones específicas pueden ejercerla. Si no existen reportes, tal vez es necesario llevar a cabo solicitudes de acceso a la información si se cuenta con ese mecanismo en el país en el que se trabaja.

c) Actualización sobre programas y herramientas.

Esto incluye conocer sobre equipos y software dedicados al espionaje (torres falsas de celular -IMSI catchers-, aplicaciones, bloqueadores de señal, aplicaciones que explotan vulnerabilidades), sus costos, funcionamiento y facilidad para obtenerlos.

También es útil que se conozca a las compañías y sus políticas de privacidad, así como las capas de seguridad de sus programas y fallos reportados para:

* Correo electrónico
* Servicios en línea (archivar y compartir documentos, calendarios, construcción de escritos colaborativos en tiempo real, etc.)
* Programas que se utilizan comúnmente para dar soporte en línea
* Redes sociales
* Sistemas operativos comunes

=== Materiales útiles ===
Para la sesión de análisis participativa: Lápiz de cera, rollos de papel [https://es.wikipedia.org/wiki/Papel_de_estraza kraft], plumones, marcadores para pizarrón, hojas tamaño carta, estambre o hilo grueso de colores. Etiquetas redondas de colores (verde, amarillo, rojo, azul), tijeras (si se viajará en avión hay que recordar ponerlas en el equipaje que no va en cabina o las perderán).

Para los diagnósticos de las computadoras: [[File:08_ManualSD_TR.png|200px]]

* Al menos dos memorias usb totalmente limpias. Si se han usado con anterioridad hay que asegurarse de no solo de borrar los datos, sino de reescribir sobre ellos antes de usarlas.
* Versiones en vivo<ref>Un sistema operativo en ''vivo'' (o ''Live'' en inglés), es un sistema que puede iniciarse sin necesidad de ser instalado en el disco duro de la computadora, comúnmente a partir de un disco o un dispositivo de almacenamiento externo (USB) o por medio de la red, usando imágenes para netboot. Los sistemas ''Live'' no alteran el sistema operativo local o sus archivos, en algunos casos puede seguirse un procedimiento para que sean instalados en el disco duro de la computadora.
</ref> de antivirus (por ejemplo: ESET SysRescue y AVIRA).
* Versión en vivo de un sistema operativo GNU-Linux.

Para el segundo día debes asegurar que puedes imprimir el reporte preliminar.

=== Planificación y comunicación de la agenda ===
Descartando el tiempo dedicado a los preparativos, la fase de análisis y redacción del informe final; la metodología de diagnóstico que proponemos requiere dos días seguidos de trabajo ''in situ''. Idealmente son 16 horas en las oficinas de la organización pero el equipo de facilitación debe estar preparado para destinar un poco más de tiempo durante esos días.

Tal vez una pregunta que salta es por qué dos días. Es el tiempo promedio máximo que, en nuestra experiencia, una organización puede inicialmente comprometerse para dedicar al proceso.

Dependiendo de cómo esté estructurada la organización, para el diagnóstico es crucial que participe al menos un miembro de cada área/equipo de trabajo. Esto debe quedar bien claro en la comunicación con la organización, ya que es frecuente que sólo se cite al personal que da mantenimiento a las computadoras y/o directivos. La intención de convocar al menos a una persona de cada área/equipo es tener una muestra lo más real posible de cómo cotidianamente se trabaja.

La forma en la que recomendamos que se reparta la agenda dentro de los horarios de oficina es:

'''Primer día'''

* Sesión matutina conjunta para un análisis de riesgos, guiada por dos personas del equipo de facilitación (aproximadamente 4 horas), una tercera persona se ocupará de iniciar el diagnóstico de los equipos de cómputo (estimamos que se invierten 20 minutos aproximadamente por equipo. En las siguientes secciones daremos más detalles).
* Sesión vespertina para evaluar computadoras (4-6 horas ).

Para la noche del primer día, es necesario que el equipo de facilitación se reúna para hacer una valuación de la sesión matutina y un primer análisis de hallazgos, confirmar agenda y prioridades para el siguiente día.

'''Segundo día'''

* Sesión matutina para concluir la revisión de los equipos de cómputo (4 horas aproximadamente).
* Redacción del reporte preliminar (2 horas).
* Sesión vespertina para presentar el reporte preliminar y la retroalimentación del mismo (2 horas ).

Los detalles sobre cada actividad se presentarán en las siguientes secciones.

[[File:09_ManualSD_TR.png|left|300px|Agenda]] Es muy importante comunicar de forma clara todas las actividades a desarrollar, tiempo esperado y personal de la organización que es requerido para las sesiones conjuntas, así como las necesidades y tiempos para el diagnóstico de los equipos de cómputo.

=== Planificación del viaje ===
[[File:10_ManualSD_TR.png|left|400px|Viaje]]La planificación del viaje se debe hacer contemplando presupuesto, evaluación de seguridad, condiciones para un buen descanso (tal vez toca dormir poco pero hay que poder dormir bien) y condiciones adecuadas para trabajo nocturno.

Sobrepasa los objetivos del presente manual hacer una descripción detallada sobre los cuatro aspectos; sin embargo, hay algunos recursos en línea que pueden ser de utilidad para orientarse (hemos puesto algunos en la sección de Referencias útiles).

Es necesario asegurar que toda la logística es correcta, como la dirección del lugar donde se llevará a cabo el diagnóstico, tener un número y persona de contacto, prever el tiempo y medio de transporte local y coordinar la entrada y salida de las oficinas, para estimar el tiempo que requerirá evaluar los equipos de cómputo y el ambiente físico.

== Cuidado colectivo ==
[[File:12_ManualSD_TR.png|left|600px|juntxs]]Una buena atmósfera de trabajo parte de la generación de espacios seguros, en los que existe un ambiente positivo de trabajo, se cuida de maximizar los niveles de energía y dedicación, tanto de las personas participantes como del equipo de facilitación.

Algunos preparativos que puedes considerar para el cuidado colectivo son:

1. Incluir como parte del servicio de café, fruta de temporada y agua.[[File:11_ManualSD_TR.png|200px]]

2. Es muy útil llevar semillas o alimentos que proveen energía para que el equipo de facilitación pueda consumir en momentos breves.

3. Es importante estar atentos de los/as participantes y de los/as integrantes del equipo de facilitación para poder detenerse a descansar en algunos momentos, aunque no estén en la agenda, o sugerir alguna dinámica energizante.

=== Equipo de facilitación ===

En nuestra experiencia, el equipo ideal está compuesto por tres personas por cada 8-12 participantes. Lo que se busca es contar con personas que cubran los siguientes aspectos:

* Conocimiento en el análisis de las computadoras y herramientas de seguridad digital.
* Conocimiento en técnicas pedagógicas.
* Capacidad de investigación.
* Trabajo en el tema de cuidados o acompañamiento psicológico a comunidades con estrés.

Es común que no se pueda contar con el equipo ideal. En su defecto, hay que tratar de apoyarse en recursos sobre el tema y que por cada facilitador no haya más de diez personas.

Si el equipo está compuesto por biohombres y biomujeres, es importante ser consciente que la tendencia en el trabajo con organizaciones es dar mayor peso a la palabra masculina en los aspectos técnicos o tal vez también pueden existir otras características dentro del equipo de facilitación que despierten asimetrías. Por lo tanto, es primordial tomar conciencia de los privilegios sociales que se le pueden atribuir a los diferentes miembros del equipo y tratar de mitigar prácticas jerarquizantes.

== Día 1 ==

[[File:13_ManualSD_TR.png|left|250px|Día 1]]

El trabajo ''in situ'' para el primer día se divide en dos partes: el trabajo colectivo y el inicio de la revisión de los equipos de cómputo y del ambiente físico.

=== Trabajo colectivo===
[[File:07_ManualSD_TR.png|600px]]

Es necesario llegar con anticipación para preparar el espacio de trabajo. Antes de iniciar la sesión:

* Colocar las sillas y las mesas en forma de medio círculo.
* Poner lápices de cera de colores y/o plumones y hojas en el centro de la mesa.
* Recortar y pegar tres columnas de papel kraft o [https://es.wikipedia.org/wiki/Papel_de_estraza estraza] sobre una pared visible para todos/as; estos deben ser tan largos como el equipo de facilitación alcance a escribir sobre de ellos.
* Recortar y pegar otra columna de papel kraft separada para el glosario.
* Pedir las contraseñas de internet por si es necesario investigar algo en el momento.

====Presentación====
Tiempo estimado: 10 minutos

La sesión inicia con una breve dinámica de presentación del equipo de facilitación y de los/as asistentes. En este punto se provee información sobre el equipo de facilitación así como de lo que se espera del diagnóstico. Se puede aprovechar para enfatizar que en el diagnóstico no hay respuestas buenas o respuestas malas, sino que hay lo que se hace, así, sin calificativos. Es primordial ser muy sensible para detectar si existe algún tipo de resistencia o temor por parte de algún participante, para verbalizarlo y hacer notar que el diagnóstico no es una evaluación hacia las personas, sino que busca conocer qué se hace y con qué se hace para sugerir un plan apropiado de seguridad digital. También hay que destacar que el equipo de facilitación sólo pretende ayudar a ir generando el diagnóstico pero que se parte del conocimiento que los/las participantes tienen, por lo que es indispensable su participación.

También como parte de la presentación es importante hacer acuerdos de formas de trabajo. En educación popular usamos:

* Forma es fondo
* La memoria es más extensa que la inteligencia.
* La memoria colectiva es más extensa que la memoria individual
* La letra con juego entra
* Nadie aprende en cabeza ajena
* Entre todos/as sabemos todo
* Nadie libera a nadie, nadie se libera solo. Nadie educa a nadie y nadie se educa solo
* Evitar negar a el/la compañero/a.
* Sumar la idea de el/la otro/a.
* Escucha activa
* Evitar calificativos
* Evitar monopolizar la palabra
* Para hacer más fructífera la discusión, ir sumando,no redundando en lo dicho
* No imponer ideas

====Actividad: Dibujar mi día al lado de la tecnología====
Tiempo estimado: 45 minutos

Objetivo: Conocer dispositivos, programas, aplicaciones que se usan y para qué se usan. Este ejercicio permite también conocer si los mismos dispositivos son usados para trabajo o actividades personales.

Descripción: Se pide a los/las asistentes que dibujen su día al lado de las tecnologías que ocupan (no sólo las de trabajo sino las que usan cotidianamente; por ejemplo, aplicaciones biométricas o de esparcimiento, como las de citas o sitios de taxi). Hay que mencionar que con esta actividad se busca una narrativa, así que para las personas que no se sienten tan cómodas dibujando, pueden escribir un texto.

Sugerencia: Antes de iniciar las presentaciones de los dibujos, podría ser útil dividir la primera columna del papel kraft en cuatro secciones: “Celular”, “Computadora”, “Celular+Computadora” y “Otros dispositivos”, para apuntar los usos de la tecnología bajo el tipo de dispositivo que más le corresponde.

Posteriormente, cada participante describe su dibujo. Mientras lo hace, un miembro del equipo de facilitación va apuntando en la primera columna de papel kraft los "Usos de la tecnología" que debe reflejar el dispositivo/aplicación y su uso, por ejemplo:

* Yo uso la alarma de mi celular para despertarme por la mañana.
* Uso mi computadora para escuchar música en Spotify.
* Utilizo una aplicación en mi celular para cuantificar mi pasos diarios.
* Uso Whatsapp en mi celular para compartir audios con mis colegas.
* Uso Dropbox para respaldar documentos de mi computadora.

Dependiendo de la cantidad de asistentes, no es necesario que todos/as expongan su dibujo; en todo caso, se puede pedir a algunos/as que lo hagan y después que el resto complemente si tiene algún uso que no se ha mencionado.

También cuando se sabe que hay aplicaciones que sirven tanto en el celular como en una computadora o tableta, hay que indagar si se usa sólo en un dispositivo o en todos.

Al final del ejercicio, tendremos una lista de usos de la tecnología.

====Actividad: ¿Qué información se produce?====
Tiempo estimado: 45 minutos

Objetivo: Detallar para cada uso de la tecnología, la información que se produce.
Descripción: Indicar para cada uso de la tecnología la información que se produce. Aunque parezca obvio, es necesario explicar a qué información se refiere. Por ejemplo, en el caso de una fotografía, la información que se produce no es en sí mismo el archivo digital que lo contiene, que puede ser un archivo .jpg o .png, sino lo que está en la foto; por ejemplo, qué es lo que fue tomado (un paisaje o personas), en qué momento, en qué lugar, etc. En el caso de una aplicación para taxis, la información que se produce va desde origen y destino, hasta frecuencia o forma de pago. Esta es una buena oportunidad para introducir el término '''Metadatos''' e incluirlo en el glosario. En este ejercicio es muy importante que se llegue al mayor detalle posible. La actividad se desarrolla completando la segunda columna de papel kraft con la información que se produce según el uso de la tecnología que se haya mencionado.

Al final del ejercicio, tendremos la lista de la información que generan la organización y sus integrantes.

====Actividad: Lluvia de actores====
Tiempo estimado: 30 minutos

Objetivo: Generar una extensa lista de actores que podrían tener un interés personal, político y/o económico de la información que la organización y su equipo de trabajo producen.

Descripción: La actividad consiste en discutir qué actores podrían estar interesados en cada información que se ha colocado en la lista. En esta actividad se tienen que verter todos los actores hipotéticos, sin descartar alguno, ya que en las siguientes actividades se podrán evaluar la motivación y recursos para quedarse con una lista más acotada.

Cabe explicar que la invitación es pensar en actores internacionales, nacionales, locales, políticos, grupos religiosos, periodistas, incluso en quienes pudieran tener algún tipo de interés personal, como particulares que tengan alguna inconformidad con el personal o la organización.

Durante la actividad se conecta a cada actor con la información que le podría interesar, usando plumones de colores por actor o usando estambre o hilo grueso para cada conexión. El equipo de facilitación, sin imponer puntos de vista, puede aportar información resultante de la investigación de contexto.

Tendremos una lista de actores relacionados con la información que produce la organización al finalizar el ejercicio.

====Actividad: Acotando actores====
Tiempo estimado: 40 minutos

Objetivo: Determinar actores que, además de tener motivación, podrían contar con los recursos necesarios para tratar de obtener información de la organización sin su consentimiento.

Descripción: Durante la actividad se discute sobre los actores mencionados: si cuentan con recursos o si se conoce que han implementando prácticas de vigilancia y/o espionaje. Se consideran recursos, no solo económicos, para poder llevar a cabo una acción: tener conocimientos, personas que pudieran ayudarles, relaciones con personas poderosas.

El equipo de facilitación debe aportar elementos sobre los diferentes tipos de recursos que se necesitan para intentar obtener información de la organización; por ejemplo: el robo de los equipos de cómputo, colocación de antenas falsas de celular, envío de malware (recordar que todos los términos nuevos se deben poner en el glosario, invitando a los participantes a escribir también).

El equipo de facilitación puede proveer de contexto sobre el marco legal y antecedentes de la vigilancia, para señalar cuáles actores están legalmente facultados para llevar a cabo la vigilancia; capacidad política o social/económica de influir sobre políticos y accesibilidad de la tecnología de vigilancia (capacidad técnica y económica).

Hay que recordar que este ejercicio tiene que ver con la percepción de cada participante, por lo que no es indispensable llegar a consensos, aunque es útil, y se puede dejar una anotación sobre las diferentes opiniones.

Con el ejercicio concluido, tendremos una lista acotada de actores que tienen capacidad de vigilancia, con interés en el trabajo de la organización.

====Actividad: El semáforo de la información====
Tiempo estimado: 40 minutos

Objetivo: Determinar qué información se considera sensible.

Descripción: Sobre la lista de información que la organización produce, para cada dato que pueda ser de interés para algún actor que se encuentra en la lista final de la actividad '''5''', se pregunta: ¿Qué harían los actores si obtienen la información? ¿Qué tan grave sería esto para la organización (sus campañas, la seguridad de sus contrapartes, la seguridad de las víctimas que acompaña, la seguridad de los integrantes de la organización, la reputación de la organización, su seguridad económica, etc.)? Si las consecuencias serían graves, poner un punto rojo. Si son consecuencias que llevan un costo importante para la organización pero son superables, un punto amarillo. Si es preferible que no ocurra pero el impacto sería mínimo o nulo, un punto verde.

Sugerencia: Insistir con los/las participantes que antes de elegir el color de semáforo justifiquen bien la elección. Por ejemplo, describiendo una situación hipotética y realista de la posible consecuencia o citando un caso parecido que haya sucedido, explicando cuál sería el impacto para la organización. Requiriendo una explicación de la propuesta de color de semáforo se fomentan la discusión y el debate entre los participantes, ayuda a que los resultados finales del diagnóstico estén realmente consensuados.

Al concluir la actividad, tendremos una lista de la información que se tiene que proteger de la vigilancia: todos los datos que tienen puntos rojos o amarillos.

====Actividad: Puertas y candados para la información====
Tiempo estimado: 15 minutos

[[File:16_ManualSD_TR.png|400px]]

Objetivo: Describir los mecanismos de protección que existen sobre la información sensible de la organización.

Descripción: Para toda la información que tiene que protegerse de la vigilancia, teniendo a la lista de “usos de tecnología” como referencia, preguntar dónde se encuentra esta información y cuáles medidas se han tomado hasta ahora para resguardarla y/o limitar el acceso de terceros a ella (llave, cifrado, contraseña, ubicación, temporalidad, nada, '''respaldos''', etc.). Apuntar las respuestas.

En esta actividad es necesario tratar de recuperar los saberes intuitivos que los miembros de la organización usan. Algunos no tendrán base alguna y puede ser un momento adecuado para eliminar falsos supuestos, pero en otros es posible sorprendernos con las estrategias que la gente desarrolla.

Al terminar el ejercicio, tendremos una lista de los usos de la tecnología por parte de la organización y sus integrantes, los cuales requieren la incorporación de mejores prácticas y herramientas de seguridad digital.

====Comentarios de cierre del trabajo colectivo====
Tiempo estimado: 15 minutos

Para poder concluir la sesión grupal se pregunta a los/as asistentes si en su percepción han tenido incidentes de seguridad en general y digital, en particular. Después, si se siente ansiedad o malestar en el grupo, hay que tratar de generar un diálogo sobre la importancia del diagnóstico como primer paso, proceso que nunca será perfecto sino que estará en transformación constante pero que será útil. Se puede recurrir a alguna dinámica corporal que ayude con el estrés.

[[File:22_ManualSD_TR.png|600px]]

Para cerrar, se explica que el siguiente paso es la revisión del ambiente físico y de los equipos de cómputo, enfatizando que no se trata de un análisis forense y que tampoco será el momento de instalar programas o arreglar problemas que se presentan, sino una mirada '''a vuelo de pájaro''' de estructura de la información que se guarda, programas, estado de antivirus. Hay que reforzar que no será un análisis que violente la privacidad, puesto que para algunas personas mostrar sus equipos de cómputo puede ser como mostrar el clóset de su habitación o el cajón que está al lado de la cama. También se aprovecha para recordar la importancia de contar con la total asistencia de quienes participarán en la sesión de retroalimentación de los hallazgos preliminares.

[[File:23_ManualSD_TR.png|left|450px|Celulares]]
Probablemente, un análisis más exhaustivo incluiría la revisión de móviles pero, a partir del análisis de las computadoras y de la actividad sobre usos de la tecnología, se pueden inferir muchas de las vulnerabilidades. Lo que se busca es no exponer a las personas en su intimidad. Concluyendo la sesión hay que recordar que la información deberá guardarse en un lugar seguro.

''Nota: Dependiendo del tiempo, se recomienda tomar uno o dos descansos.''

=== Análisis del ambiente físico y de los equipos de cómputo ===
[[File:17_ManualSD_TR.png|right|350px|Ambiente]]La seguridad digital depende también de las condiciones ambientales en las que se usan los dispositivos. Por tanto, es pertinente realizar una evaluación sistemática de algunos aspectos específicos de las instalaciones de trabajo, incluyendo:

a) La facilidad para acceder a la oficina: cuántas puertas y ventanas tiene y si están bien protegidas, si es fácil acceder desde alguna construcción vecina, etc.

b) Si la oficina cuenta con portero y si se cumple el protocolo acordado con él para el ingreso.

c) La existencia de alarmas y cámaras de seguridad. En caso de contar con cámaras, hay que asegurarse que funcionan y si graban. En ese caso, preguntar la existencia de protocolos para revisar los videos. También si tienen una pila para la alarma, en caso de un corte de energía eléctrica.

d) Si en la oficina hay espacios que se cierran bajo llave, conocer quiénes tienen las llaves y acceso a qué espacio. Si hay archiveros, también saber quiénes.

e) Otro aspecto a evaluar es si se recibe a gente externa a la organización en una sala en particular, y si los/as visitantes podrían desde ahí dirigirse fácilmente a otra área dentro de la oficina (se busca saber si es posible robar equipos o dejar un dispositivo tipo keylogger).

f) Estado de la construcción, especialmente si hay humedad, y si las conexiones eléctricas están en buen estado. También verificar si hay sobrecarga de dispositivos en una misma conexión y si se usan reguladores.

Como parte de esta revisión general hay que observar si las computadoras están conectadas usando una red inalámbrica o por ethernet, la configuración de la red, la fortaleza de la contraseña de la red inalámbrica, si el módem ha cambiado su configuración de origen y la compañía que ofrece el servicio.

Para la revisión de los equipos de cómputo hay que recordar que no se trata de un análisis forense y la profundidad con la que se realice depende de los conocimientos técnicos del equipo de facilitadores y el tiempo. En caso de sospechar la presencia de '''malware''', si se quiere documentar para tomar acciones legales, es mejor no trabajar sobre el equipo y generar una copia. Por sí mismo, esto es un trabajo independiente, pero si se requiere se puede iniciar con un sistema en vivo GNU-Linux (el comando ''dd'' puede ser una opción).

Considerando el tiempo promedio que requiere el análisis de las computadoras, recomendamos intentar hacer al menos 10 equipos que correspondan a las diferentes áreas de trabajo, ya que lo que se pretende es tener una muestra lo más completa posible.

El análisis de las computadoras se concentra en tres puntos: a) vulnerabilidades en los equipos por ausencia de antivirus, desactivación de firewall o falta de actualizaciones de seguridad; b) instalación y uso de programas que tienen vulnerabilidades, malware, adware u otro tipo de software malicioso; c) exposición por uso del navegador de internet.

Para poder evaluar los puntos anteriores, en el caso del sistema operativo Windows, desde la terminal cmd se pueden usar los siguientes comandos: systeminfo, tasklist y wmic. Después se va al visor de eventos y se guardan los logs de eventos de seguridad, de hardware, aplicación, administrativos, instalación y sistema para una revisión rápida.

En OS X puedes usar Información del sistema y la consola para mirar los logs. En GNU-Linux hay una variedad amplia de comandos para listar programas y ver los logs.

Se revisa el estado de firewall.

Se detecta si se tiene antivirus, versión de la base de datos y logs. Si no se tiene antivirus o está desactivado se debe considerar usar una de las versiones en vivo.

Se revisa que navegador/es se usan, guardado del historial, guardado de contraseñas y plugins instalados.

'''Sugerencia''': dependiendo de las habilidades del equipo de facilitación, se puede generar un ''script'' para automatizar la revisión del firewall y de los logs.

'''Sugerencia''': Al revisar los logs también es posible automatizarlos mediante un ''script'', es importante poner atención en las direcciones IP recurrentes.

'''Sugerencia''': Puedes hacer un mapeo completo de la red para verificar equipos conectados y usuarios. Para la Wifi puedes verificar tipo de cifrado, vpn y/o vlan.

== Evaluación del día y revisión de archivos ==
[[File:18_ManualSD_TR.png|right|400px|Análisis]]
Para lograr concluir el trabajo en tiempo, el tener una breve reunión de evaluación en la que se puedan intercambiar observaciones, posibilidades para el segundo día, preocupaciones, aspectos positivos del trabajo y cómo se siente el equipo de facilitación, hará más eficiente el tiempo restante.

A partir de la reunión general y los primeros resultados de los equipos de cómputo, se puede iniciar ya la sistematización para la redacción del informe preliminar. En el anexo 1 podrás encontrar una propuesta de formato. El objetivo en general es organizar la información, considerando los riesgos encontrados y, a partir de ello, proponer una ruta de fortalecimiento en seguridad digital para la organización.

El informe debe considerar:

* Hallazgos de la evaluación del ambiente físico.
* Análisis de amenazas a la información:
a) Riesgo: Pérdida de información por fallo de hardware, robo o pérdida de hardware, o error humano

b) Riesgo: Pérdida de información por ataque de malware y

c) Riesgo: Vigilancia o robo de datos.

* Recomendaciones.

Para este momento se tendrá además mucha información que revisar y procesar. Sobre los archivos que se tienen de los equipos, hay que evaluar programas instalados y, si hay algunos que son poco comunes, investigar sobre ellos. '''En otros casos se conocen más las vulnerabilidades''', por ejemplo: en programas para comunicación por voz si usan o no cifrado en tránsito. Para los logs, lo que se necesita es una vista '''a vuelo de pájaro''', entonces se tiene que relacionar la información con lo que la gente ha manifestado que hace o detectar si se reportó algún incidente extraño. Por ejemplo, si el trabajo en la oficina es siempre matutino, será anormal encontrar que hay un reporte de inicio del sistema por la noche. También hay que familiarizarse con los procesos que comúnmente se ejecutan en los diferentes sistemas operativos para observar si hay procesos inusuales.

La profundidad con la que se logre la revisión de eventos del sistema y lista de tareas, depende mucho de los conocimientos y la experiencia que tiene el equipo de facilitación. Para introducirse en el tema es útil investigar aspectos como los programas comunes de inicio de los sistemas operativos y los códigos de errores. La idea muchas veces no es encontrar un error sino buscar patrones y anomalías.

== Día 2 ==
[[File:13_ManualSD_TR.png|left|200px|sol]] La jornada del segundo día consiste en tres etapas: 1) Primera conclusión de la revisión de los equipos de cómputo; 2) la redacción del informe preliminar; y 3) la discusión del mismo con la organización.

=== Conclusión del análisis de equipos de cómputo y redacción del informe preliminar ===

Lo deseable es ocupar entre tres y cuatro horas para terminar con la revisión de los equipos para dejar suficiente tiempo para concluir el informe preliminar (aproximadamente dos horas) y reservar unos minutos para la impresión.

En la redacción del informe hay que tener cuidado con proveer una argumentación sólida que justifique las recomendaciones. Si bien el objetivo no es redactar una explicación extensa sobre cada vulnerabilidad encontrada, en algunos casos ayudará para apropiarse de la propuesta, entender el por qué algo es considerado un riesgo. El informe debe poder hilar aspectos de contexto social, político y económico con aspectos más técnicos. También, sin minimizar los riesgos, se debe ser responsable con la forma en la que se plantean las vulnerabilidades.

Las recomendaciones deben asumir las condiciones reales de cada organización. A veces la mejor opción es la que, en efecto, se podrá implementar; de nada sirve proponer cambiar de equipos o poner un servidor interno si no hay condiciones. Sin embargo, es posible sugerir recomendaciones a largo plazo. Las propuestas deben ser claras respecto a los requerimientos para ser implementadas, incluyendo los tiempos. En nuestra experiencia, es importante poder comprometer a la organización en acciones a corto plazo que alienten su interés y visibilicen que es posible tomar algunas acciones. De tal forma, la seguridad como un paso a la vez, se fortalece con prácticas más autónomas.

En el Anexo I se encontrará se sugiere una plantilla para que facilitar el proceso de redacción del reporte preliminar.

===Presentación del informe preliminar ===
[[File:20_ManualSD_TR.png|600px]]

El tiempo estimado para esta actividad es de dos horas. Se inicia explicando que el informe es una primera versión que tiene como objetivo compartir con la organización los hallazgos y las recomendaciones, que es un momento valioso para hacer cambios por si se ha entendido mal alguna cosa o si hay información que no quedó incluida, y que se alcance un acuerdo interno con el equipo de facilitación respecto a las recomendaciones finales.

Se dan unos minutos para que cada participante lea el informe y, posteriormente, se hace una lectura colectiva, dando la oportunidad para la retroalimentación.

En la sección de recomendaciones es fundamental que quede claro lo que se propone, tiempos, y las razones por las cuales se hace cada recomendación.

Finalmente, se crea un acuerdo sobre el medio oportuno para hacer la entrega del informe final y la confidencialidad de la información, acordar como se destruye el papel kraft usado y si es necesario destruir también las copias del informe preliminar. Si aún queda algo de tiempo se puede pedir una breve evaluación de los/as participantes sobre la experiencia del diagnóstico en el ánimo de hacerlo cada vez mejor.

En el caso de que el equipo facilitador tenga que conservar algunos archivos del análisis de computadoras para un análisis más profundo, debe considerar la vía más segura para transportarlos, guardarlos y borrarlos posteriormente.

== Diagnóstico final ==
[[File:19_ManualSD_TR.png|left|300px|Informe]] La versión final del informe del diagnóstico debe incluir todos los cambios sugeridos en la reunión de retroalimentación. Su elaboración es una oportunidad para añadir una argumentación más detallada sobre vulnerabilidades, empresas, condiciones económicas y/o políticas. Inevitablemente implicaría investigación adicional para poder llenar huecos de información que no se pudieron resolver durante la actividad de análisis de amenazas, y para contar con la información más actualizada sobre las herramientas cuyas ventajas y desventajas se evaluaron. La investigación es fundamental para maximizar la pertinencia de las recomendaciones y la claridad de su justificación.

[[File:21_ManualSD_TR.png|right|300px|Envio]]El último paso en el diagnóstico es hacer llegar el reporte final a la organización. Es importante que se envíe por un medio seguro, ya que el reporte puede contener información altamente sensible sobre la organización, y también para establecer un buen antecedente al manejar cuidadosamente el transporte de información sensible.

== Recursos útiles ==

Sin duda, mantenerse actualizado sobre las herramientas y tener acceso a información que nos ayude en los proceso formativos de seguridad digital, es complicado. A continuación, listamos algunos recursos útiles, pero hay que recordar que los cambios en el tema se están dando en tiempos muy cortos, por lo que hay que buscar actualizarse y, si se tiene la oportunidad, compartir los recursos que se encuentren con la comunidad.

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual/es Manual Zen]
* [https://securityinabox.org/es/ Seguridad en una caja]
* [https://ssd.eff.org/es Autoprotección Digital Contra La Vigilancia: Consejos, Herramientas y Guías Para Tener Comunicaciones Más Seguras]
* Documentos de [https://karisma.org.co/biblioteca/ Fundación Karisma]
* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

En inglés:

* [https://holistic-security.tacticaltech.org Seguridad holística]
* [https://safetag.org/ SAFETAG]
* [https://level-up.cc/ Level-up]

==Agradecimientos ==
[[File:25_ManualSD_TR.png|300px]]

Agradecemos profundamente a Jacobo Nájera, Hedme Sierra Castro y William Vides por su revisión de la versión en español y a Alexandra Hache por la lectura de la primera versión de este documento. Agradecemos también a Mónica Ortiz por la corrección ortográfica y de estilo.

==Créditos ==
Esta guía fue escrita por [http://tecnicasrudas.org Técnicas Rudas] con el apoyo del "Institute for War
and Peace Reporting" [http://iwpr.net IWPR].

<gallery>
IWPR-LOGO.png|IWPR
LogoTR.png|Técnicas Rudas
</gallery>

Diseño: María Silva y Yutsil Mangas

==Anexo I==
[https://gendersec.tacticaltech.org/wiki/images/8/8c/Diagn%C3%B3sticoSeguridadDigital_InformePreliminar_Plantilla.odt Plantilla para el reporte final del Diagnóstico en Seguridad Digital]

==Versión en inglés==
[https://gendersec.tacticaltech.org/wiki/index.php/Digital_Security_Assessment_for_Human_Rights_Organizations:_A_guide_for_facilitators Versión al ingles]
==Referencias==

[[Category:How_To]]
[[Category:Resources]]

Diagnósticos en seguridad digital para organizaciones defensoras de derechos humanos y del territorio: un manual para facilitadores

2017-09-08T19:44:16Z

Anamhoo: Created page with "600px == Presentando el manual == Introducción En la mitología griega, Dedalus era un creador de artefa..."

[[File:01_ManualSD_TR.png|600px]]
== Presentando el manual ==
[[File:24_ManualSD_TR.png|center|600px|Introducción]]

En la mitología griega, Dedalus era un creador de artefactos, sus obras mostraban constantemente el profundo conflicto entre la innovación y su uso como herramienta del poder o la ambición. Como si fuese uno más de los artefactos de Dedalus, entre los sueños utópicos y las pesadillas, la tecnología actual no ha logrado escapar de sus propias paradojas. En el sueño de Dedalus, la innovación tecnológica serviría para volar y escapar del encierro pero en ese impulso humano de quedar cegado ante lo luminoso y la posibilidad, Ícaro, su hijo, llevó al límite el sueño.

Actualmente, la tecnología sigue jugando este papel: en el sueño potencia nuestra libertad y bienestar, pero se juega siempre en el límite. En el caso de las tecnologías de la información y la comunicación (TIC), como en la mitología, éstas nos dan la posibilidad de buscar la libertad traspasando fronteras, combatiendo discursos dominantes de odio, dando espacios para lo diverso, el encontrarnos y reconocernos, el compartir. Sin embargo, atadas a sus propias vulnerabilidades, las TIC exponen a quienes las usamos a riesgos como la vigilancia, el espionaje e incluso la manipulación.

El trabajo de los y las defensoras de los derechos humanos y del territorio, sin duda, se ha beneficiado del desarrollo de nuevas tecnologías para actividades importantes como comunicarnos, generar campañas, compartir información, hacer análisis, documentar casos y guardar datos. Al mismo tiempo, el uso de la tecnología ha generado nuevas vulnerabilidades, evidenciadas por eventos documentados, entre ellos: la infección de computadoras por autoridades gubernamentales con programas para vigilar, compra de equipos para monitorear llamadas, robo de computadoras a organizaciones sociales, pérdida/robo del celular con información personal y de trabajo que después se expuso en redes sociales, espionaje sobre redes sociales e intrusión en cuentas de correo o facebook.

La información que comúnmente nos llega sobre la capacidad de vigilancia que podría tener el Estado, algún cartel e incluso particulares, usando la tecnología, puede exacerbar el miedo y fomentar la autocensura. Puede parecer que solo hay dos opciones extremas: o ''usa la tecnología sin protección porque no hay nada que puedas hacer'' o ''destruyamos la tecnología''. En la práctica, esta disyuntiva se reduce a la decisión de usarla o no.

Nosotras abogamos por una postura distinta, que no parte de la desesperación, ni de responder con violencia, sino con auto-determinación: si bien la tecnología no es ni el principio ni el final del problema, un uso consciente puede potenciar nuestras acciones, evitar o mitigar vulnerabilidades y ayudar al cuidado colectivo.

A partir de nuestra propia experiencia dentro de colectivos, trabajo con organizaciones muy diversas e investigación, creemos que es importante generar estrategias y sumar a los análisis de seguridad de las organizaciones lo que se conoce como seguridad digital; que implica analizar nuestro uso de la tecnología, entender nuestras vulnerabilidades, encontrar herramientas que nos sean oportunas y desarrollar capacidades internas para integrarla dentro de un esquema general de seguridad.

Desafortunadamente, las organizaciones y colectivos, debido a problemas como la falta de tiempo, recursos o conocimientos, pocas veces cuentan con la oportunidad de generar esta integración de la seguridad digital como un proceso. Esto resulta frecuentemente en que al final las medidas acordadas se abandonan con el tiempo.

Desde las comunidades técnicas que tienen un compromiso social, existe también una dificultad para contribuir en estos procesos, ya que en muchos casos, si bien los conocimientos sobre seguridad digital pueden ser sólidos, la falta de estrategias pedagógicas o de experiencia sobre las condiciones reales en las que se desarrolla el trabajo cotidiano de las organizaciones, se crea una barrera que impide la comunicación y la transferencia de conocimientos.

Para que un proceso de seguridad digital sea apropiado efectivamente por las organizaciones, es fundamental que el conocimiento no se integre desde las voces expertas, sino desde el compartir y recrear. El paso inicial de tal proceso es el diagnóstico participativo.

En este manual, las '''Técnicas Rudas''' presentamos una propuesta metodológica para implementar diagnósticos de seguridad digital para organizaciones que trabajan en la defensa de los derechos humanos y/o del territorio. Este manual está dirigido especialmente a talleristas, facilitadores y expertos en seguridad digital que trabajen con organizaciones sociales. Sin embargo, creemos que puede ser útil para guiar a una organización que decida iniciar el proceso por sí misma.

La propuesta se caracteriza porque tiene una postura tecnopolítica e introduce una mirada feminista. En consecuencia, se basa en la educación popular como herramienta pedagógica.

==¿Cómo usar esta guía?==
[[File:02_ManualSD_TR.png|center|600px|Cómo?]]

Está guía esta enfocada en la comunidad de entrenadores o facilitadores en seguridad digital, pero también puede ser útil para una organización que ha tomado la decisión de iniciar su proceso de seguridad digital por sí misma. La estructura y las actividades propuestas puede y debe adaptarse a las circunstancias y necesidades específicas de la organización. La guía también puede ser una referencia útil para los facilitadores cuando llevan a cabo el diagnóstico de una organización o grupo. La metodología también puede aplicarse a evaluaciones individuales con ajustes mínimos.

=== ¿Por qué es necesaria la mirada tecnopolítica? ===

De forma superficial, el debate sobre las vulnerabilidades limita las consecuencias en el ámbito de la privacidad individual, generando una respuesta particularizada que se reduce a frases como “no tengo nada que ocultar", que no logra integrar el alcance social que estas tienen. Mientras que los especialistas buscan soluciones reduccionistas, como el que una aplicación se encargue de '''parchar vulnerabilidades'''.

[[File:03_ManualSD_TR.png|left|400px|Tecnopolitica]]Sin embargo, un análisis más profundo sobre la tecnología, da cuenta de cómo en las diferentes fases de los procesos tecnológicos existe una visión política-económica. Así, al momento de ser construida, se hace evidente la necesidad de analizar de dónde se obtienen los minerales indispensables para sus componentes, las manos de quienes trabajaron para su producción, las condiciones laborales; en dónde es producida y cómo llega a los mercados, el cómo estas mercancías serán consumidas, cruzadas por el género y la clase. Y al final serán desechadas bajo un esquema territorial del planeta, impuesto desde un porcentaje pequeño de la población que acumula la riqueza.

Esta mirada profunda que identificamos como tecnopolítica, ha hecho evidente que existe un interés económico en la obtención de datos personales a partir del uso de medios digitales. Por ejemplo, se puede ver la investigación de [https://chupadados.codingrights.org/es/ Coding Rights].

También han sido expuestas evidencias de vigilancia local y global. Por ejemplo, al momento de escribir este manual, en México se han mostrado evidencias de espionaje a periodistas y organizaciones defensoras de derechos humanos usando el software ''Pegasus''<ref>https://r3d.mx/2017/06/19/gobierno-espia/</ref>.

Para la región, en 2015, filtraciones de correos de la empresa Hacking Team evidenciaron la enorme inversión que gobiernos latinoamericanos habían hecho en hardware y software para la vigilancia<ref>https://www.derechosdigitales.org/wp-content/uploads/malware-para-la-vigilancia.pdf </ref>.

Sobre vigilancia masiva, el caso más conocido fue el de las [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 filtraciones] hechas por Edward Snowden en 2013, que mostraron un elaborado aparato de vigilancia global operada por la NSA (National Security Agency por sus siglas en inglés) de Estados Unidos <ref> https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29</ref>.

Considerando las condiciones sociales es importante alertar a quienes defienden los derechos humanos y el territorio que usan las TIC para sus comunicaciones, incluso como parte de sus estrategias de lucha, sobre sus vulnerabilidades.

La seguridad digital requiere una mirada tecnopolítica porque solo podrá responder certeramente a los retos actuales siendo sensible a las condiciones reales en las que las personas las usamos.

En la práctica, estas consideraciones se traducen en optar por software libre (ya que es transparente en su código y da la posibilidad de enriquecerlo), evitar contribuir en el desecho de tecnología o caer en el juego de la obsolescencia programada y tener prácticas pedagógicas que consideren aspectos sociales.

=== Las miradas feministas ===
[[File:04_ManualSD_TR.png|600px]]

Partimos de que no existe un feminismo, existen múltiples feminismos. Entre ellos, está el Transhackfeminismo que, si bien no cuenta con una definición clara (y probablemente no pretenda nunca una definición estática), rescata cuatro aspectos básicos:

a) El prefijo trans que hace referencia a la transformación, transgresión, transitoriedad; es el cambio y el saltar fronteras.

b) Hack, que en sus orígenes tiene que ver con trabajo mecánico que se repite. Es esa gota de agua que de tanto caer traspasa todo, es la esencia de Marie Curie procesando una tonelada de *Pechblenda* para obtener un gramo del material que le permitió descubrir el radio.

c) El feminismo como estas múltiples formas que han dado cuenta de cómo este sistema que sobrepone el capital a lo humano y ha basado su crecimiento en la explotación del cuerpo de la mujer, invisibiliza trabajos esenciales para la reproducción de la vida humana, discrimina y crea fracturas en las comunidades.

d) Desde la América Latina, '''la gran Abya Yala''', sumamos los feminismos comunitarios que introducen un ecofeminismo ligado a la tierra y descoloniza la mirada.

Desde el transhackfeminismo es posible ubicar la asimetría que hay para acceder al conocimiento y generar estrategias. Pone en el centro la comunalidad como nuestra base; cuestiona y desactiva las prácticas de poder al compartir conocimiento.

== La educación popular ==
[[File:05_ManualSD_TR.png|500px]]

Existen una gran variedad de prácticas pedagógicas en manuales de seguridad digital, en algunos casos sólo son recomendaciones sobre dinámicas, útiles, por ejemplo, para despertar a los participantes cuando están cansados, algunas otras van más lejos y emplean técnicas de educación para adultos. Nosotras decidimos trabajar a partir de la educación popular <ref>Sobrepasa los alcances de este manual detallar aspectos de la educación popular y existe numerosa bibliografía al respecto. Se puede iniciar revisando la obra de Paulo Freire (Por ejemplo: https://es.wikipedia.org/wiki/Paulo_Freire)</ref> , porque compartimos que:

a) Educar es un acto político en el que existen relaciones de poder y hay que romper con esos esquemas.

b) Creemos que la teoría y la práctica están dialécticamente relacionadas.

c) Como lo dice la etimología de la palabra: la conciencia proviene del conocimiento aprendido con otros/as.

d) Asumimos que ''el mundo no es, el mundo está siendo'' (Paulo Freire).

== Preparativos ==
[[File:06_ManualSD_TR.png|600px]]

Considerando que el diagnóstico contempla tanto actividades ''in situ'' como trabajo de gabinete, para tener una facilitación eficiente y segura es vital estar preparado. Lo que significa:

1. Entender el contexto tecnopolítico en el que se desenvuelve la organización.

2. Proveer a la organización de una explicación precisa de cómo se llevará a cabo el diagnóstico, su propósito y las expectativas sobre los miembros de la organización que participen.

3. Estar seguro que se cuenta con todos los insumos materiales necesarios.

A continuación damos una serie de ideas de cómo prepararse, pero es importante que cada paso sea asimilado en su esencia y tratar de adaptar de forma creativa las situaciones particulares.

== Investigación ==
[[File:26_ManualSD_TR.png|500px]]

a) Conociendo a la organización.

Tal vez la invitación a colaborar llegó por la conexión de una persona cercana y por transferencia de confianza se tienen premisas tácitas. Sin embargo, tanto para evaluar el riesgo para el equipo de facilitación como para el proceso de diagnóstico, es necesario ampliar lo más posible este conocimiento, investigar quiénes son y lo que trabajan.

Hay que tomar en cuenta que la idea no es hacer un análisis invasivo, convertirse en [https://en.wikipedia.org/wiki/Stalking stalkers] <ref>El término popularmente se refiere a una actitud obsesiva que se refleja en la búsqueda de información pero que puede llegar más lejos.</ref> o exponer a las organizaciones en su vulnerabilidad, porque esto podría crear desconfianza, incomodar a la organización o poner a los/las participantes a la defensiva. Es necesario ser sensibles y tener claridad en el límite de la búsqueda de información pública. De ser necesario, durante el trabajo *in situ* se pueden aportar mecanismos sobre cómo hilar entre los diferentes tipos de información pública que existen y la información que, sin estar totalmente pública, las empresas que se utilizan para servicios como correo electrónico o redes sociales, pueden tener y combinar para diferentes tipos de análisis.

Consideramos información pública necesaria para esta primera aproximación toda la que esté disponible en prensa, comunicados políticos, la que se encuentre en redes sociales, la que esté disponible en su sitio web (incluyendo información sobre el servidor en el que se aloja, el representante legal y técnico que se asocien al dominio y sus direcciones oficiales, la cual se obtiene fácilmente a partir de páginas como https://whois.net/default.aspx) y, si es posible, quien provee el servicio de correo electrónico.

A partir de esta información, se trata de contestar preguntas como: ¿Qué temas se abordan? ¿Quiénes podrían estar interesados en oponerse a este trabajo o a quiénes afecta este trabajo? ¿Qué tan públicas son las personas que trabajan en la organización? ¿Con qué otras personas o instituciones se les puede asociar? ¿En qué país se encuentra el servidor de su sitio web? ¿Cuál es la información personal identificable (IPI<ref>IPI Información Personal Identificable se refiere a toda aquella información sobre un individuo que es administrada por un tercero (por ejemplo: gobiernos o empresas), incluyendo todos aquellos datos que pueden ser distintivos del individuo o a partir de los cuales es posible rastrear su identidad y toda la información asociada o asociable al individuo (por ejemplo: el número de su pasaporte, su dirección física, la placa de matriculación de su coche, etc).</ref>) del personal dentro de todos los datos que se han encontrado? ¿Es posible ubicar geográficamente las instalaciones de la organización? ¿Se pueden conseguir teléfonos de las oficinas o sitios de trabajo y teléfonos personales? ¿Han tenido incidentes de seguridad o amenazas reportadas públicamente?

b) Análisis del contexto tecnopolítico regional, nacional y local.

Esto incluye conocer y relacionar las temáticas que trabaja la organización y las posturas que habría sobre las mismas a nivel gubernamental nacional, estatal y local. Es importante buscar si se han reportado indicios de compra de equipos o asociación con empresas dedicadas al espionaje o la vigilancia y si ha sido una práctica gubernamental documentada la represión o la vigilancia. También se puede buscar la trayectoria de gente que participe del gobierno local/estatal/nacional.

Asimismo, es relevante investigar marcos normativos que permiten la vigilancia, entender bajo qué causales se permiten y qué instituciones específicas pueden ejercerla. Si no existen reportes, tal vez es necesario llevar a cabo solicitudes de acceso a la información si se cuenta con ese mecanismo en el país en el que se trabaja.

c) Actualización sobre programas y herramientas.

Esto incluye conocer sobre equipos y software dedicados al espionaje (torres falsas de celular -IMSI catchers-, aplicaciones, bloqueadores de señal, aplicaciones que explotan vulnerabilidades), sus costos, funcionamiento y facilidad para obtenerlos.

También es útil que se conozca a las compañías y sus políticas de privacidad, así como las capas de seguridad de sus programas y fallos reportados para:

* Correo electrónico
* Servicios en línea (archivar y compartir documentos, calendarios, construcción de escritos colaborativos en tiempo real, etc.)
* Programas que se utilizan comúnmente para dar soporte en línea
* Redes sociales
* Sistemas operativos comunes

=== Materiales útiles ===
Para la sesión de análisis participativa: Lápiz de cera, rollos de papel [https://es.wikipedia.org/wiki/Papel_de_estraza kraft], plumones, marcadores para pizarrón, hojas tamaño carta, estambre o hilo grueso de colores. Etiquetas redondas de colores (verde, amarillo, rojo, azul), tijeras (si se viajará en avión hay que recordar ponerlas en el equipaje que no va en cabina o las perderán).

Para los diagnósticos de las computadoras: [[File:08_ManualSD_TR.png|200px]]

* Al menos dos memorias usb totalmente limpias. Si se han usado con anterioridad hay que asegurarse de no solo de borrar los datos, sino de reescribir sobre ellos antes de usarlas.
* Versiones en vivo<ref>Un sistema operativo en ''vivo'' (o ''Live'' en inglés), es un sistema que puede iniciarse sin necesidad de ser instalado en el disco duro de la computadora, comúnmente a partir de un disco o un dispositivo de almacenamiento externo (USB) o por medio de la red, usando imágenes para netboot. Los sistemas ''Live'' no alteran el sistema operativo local o sus archivos, en algunos casos puede seguirse un procedimiento para que sean instalados en el disco duro de la computadora.
</ref> de antivirus (por ejemplo: ESET SysRescue y AVIRA).
* Versión en vivo de un sistema operativo GNU-Linux.

Para el segundo día debes asegurar que puedes imprimir el reporte preliminar.

=== Planificación y comunicación de la agenda ===
Descartando el tiempo dedicado a los preparativos, la fase de análisis y redacción del informe final; la metodología de diagnóstico que proponemos requiere dos días seguidos de trabajo ''in situ''. Idealmente son 16 horas en las oficinas de la organización pero el equipo de facilitación debe estar preparado para destinar un poco más de tiempo durante esos días.

Tal vez una pregunta que salta es por qué dos días. Es el tiempo promedio máximo que, en nuestra experiencia, una organización puede inicialmente comprometerse para dedicar al proceso.

Dependiendo de cómo esté estructurada la organización, para el diagnóstico es crucial que participe al menos un miembro de cada área/equipo de trabajo. Esto debe quedar bien claro en la comunicación con la organización, ya que es frecuente que sólo se cite al personal que da mantenimiento a las computadoras y/o directivos. La intención de convocar al menos a una persona de cada área/equipo es tener una muestra lo más real posible de cómo cotidianamente se trabaja.

La forma en la que recomendamos que se reparta la agenda dentro de los horarios de oficina es:

'''Primer día'''

* Sesión matutina conjunta para un análisis de riesgos, guiada por dos personas del equipo de facilitación (aproximadamente 4 horas), una tercera persona se ocupará de iniciar el diagnóstico de los equipos de cómputo (estimamos que se invierten 20 minutos aproximadamente por equipo. En las siguientes secciones daremos más detalles).
* Sesión vespertina para evaluar computadoras (4-6 horas ).

Para la noche del primer día, es necesario que el equipo de facilitación se reúna para hacer una valuación de la sesión matutina y un primer análisis de hallazgos, confirmar agenda y prioridades para el siguiente día.

'''Segundo día'''

* Sesión matutina para concluir la revisión de los equipos de cómputo (4 horas aproximadamente).
* Redacción del reporte preliminar (2 horas).
* Sesión vespertina para presentar el reporte preliminar y la retroalimentación del mismo (2 horas ).

Los detalles sobre cada actividad se presentarán en las siguientes secciones.

[[File:09_ManualSD_TR.png|left|300px|Agenda]] Es muy importante comunicar de forma clara todas las actividades a desarrollar, tiempo esperado y personal de la organización que es requerido para las sesiones conjuntas, así como las necesidades y tiempos para el diagnóstico de los equipos de cómputo.

=== Planificación del viaje ===
[[File:10_ManualSD_TR.png|left|400px|Viaje]]La planificación del viaje se debe hacer contemplando presupuesto, evaluación de seguridad, condiciones para un buen descanso (tal vez toca dormir poco pero hay que poder dormir bien) y condiciones adecuadas para trabajo nocturno.

Sobrepasa los objetivos del presente manual hacer una descripción detallada sobre los cuatro aspectos; sin embargo, hay algunos recursos en línea que pueden ser de utilidad para orientarse (hemos puesto algunos en la sección de Referencias útiles).

Es necesario asegurar que toda la logística es correcta, como la dirección del lugar donde se llevará a cabo el diagnóstico, tener un número y persona de contacto, prever el tiempo y medio de transporte local y coordinar la entrada y salida de las oficinas, para estimar el tiempo que requerirá evaluar los equipos de cómputo y el ambiente físico.

== Cuidado colectivo ==
[[File:12_ManualSD_TR.png|left|600px|juntxs]]Una buena atmósfera de trabajo parte de la generación de espacios seguros, en los que existe un ambiente positivo de trabajo, se cuida de maximizar los niveles de energía y dedicación, tanto de las personas participantes como del equipo de facilitación.

Algunos preparativos que puedes considerar para el cuidado colectivo son:

1. Incluir como parte del servicio de café, fruta de temporada y agua.[[File:11_ManualSD_TR.png|200px]]

2. Es muy útil llevar semillas o alimentos que proveen energía para que el equipo de facilitación pueda consumir en momentos breves.

3. Es importante estar atentos de los/as participantes y de los/as integrantes del equipo de facilitación para poder detenerse a descansar en algunos momentos, aunque no estén en la agenda, o sugerir alguna dinámica energizante.

=== Equipo de facilitación ===

En nuestra experiencia, el equipo ideal está compuesto por tres personas por cada 8-12 participantes. Lo que se busca es contar con personas que cubran los siguientes aspectos:

* Conocimiento en el análisis de las computadoras y herramientas de seguridad digital.
* Conocimiento en técnicas pedagógicas.
* Capacidad de investigación.
* Trabajo en el tema de cuidados o acompañamiento psicológico a comunidades con estrés.

Es común que no se pueda contar con el equipo ideal. En su defecto, hay que tratar de apoyarse en recursos sobre el tema y que por cada facilitador no haya más de diez personas.

Si el equipo está compuesto por biohombres y biomujeres, es importante ser consciente que la tendencia en el trabajo con organizaciones es dar mayor peso a la palabra masculina en los aspectos técnicos o tal vez también pueden existir otras características dentro del equipo de facilitación que despierten asimetrías. Por lo tanto, es primordial tomar conciencia de los privilegios sociales que se le pueden atribuir a los diferentes miembros del equipo y tratar de mitigar prácticas jerarquizantes.

== Día 1 ==

[[File:13_ManualSD_TR.png|left|250px|Día 1]]

El trabajo ''in situ'' para el primer día se divide en dos partes: el trabajo colectivo y el inicio de la revisión de los equipos de cómputo y del ambiente físico.

=== Trabajo colectivo===
[[File:07_ManualSD_TR.png|600px]]

Es necesario llegar con anticipación para preparar el espacio de trabajo. Antes de iniciar la sesión:

* Colocar las sillas y las mesas en forma de medio círculo.
* Poner lápices de cera de colores y/o plumones y hojas en el centro de la mesa.
* Recortar y pegar tres columnas de papel kraft o [https://es.wikipedia.org/wiki/Papel_de_estraza estraza] sobre una pared visible para todos/as; estos deben ser tan largos como el equipo de facilitación alcance a escribir sobre de ellos.
* Recortar y pegar otra columna de papel kraft separada para el glosario.
* Pedir las contraseñas de internet por si es necesario investigar algo en el momento.

====Presentación====
Tiempo estimado: 10 minutos

La sesión inicia con una breve dinámica de presentación del equipo de facilitación y de los/as asistentes. En este punto se provee información sobre el equipo de facilitación así como de lo que se espera del diagnóstico. Se puede aprovechar para enfatizar que en el diagnóstico no hay respuestas buenas o respuestas malas, sino que hay lo que se hace, así, sin calificativos. Es primordial ser muy sensible para detectar si existe algún tipo de resistencia o temor por parte de algún participante, para verbalizarlo y hacer notar que el diagnóstico no es una evaluación hacia las personas, sino que busca conocer qué se hace y con qué se hace para sugerir un plan apropiado de seguridad digital. También hay que destacar que el equipo de facilitación sólo pretende ayudar a ir generando el diagnóstico pero que se parte del conocimiento que los/las participantes tienen, por lo que es indispensable su participación.

También como parte de la presentación es importante hacer acuerdos de formas de trabajo. En educación popular usamos:

* Forma es fondo
* La memoria es más extensa que la inteligencia.
* La memoria colectiva es más extensa que la memoria individual
* La letra con juego entra
* Nadie aprende en cabeza ajena
* Entre todos/as sabemos todo
* Nadie libera a nadie, nadie se libera solo. Nadie educa a nadie y nadie se educa solo
* Evitar negar a el/la compañero/a.
* Sumar la idea de el/la otro/a.
* Escucha activa
* Evitar calificativos
* Evitar monopolizar la palabra
* Para hacer más fructífera la discusión, ir sumando,no redundando en lo dicho
* No imponer ideas

====Actividad: Dibujar mi día al lado de la tecnología====
Tiempo estimado: 45 minutos

Objetivo: Conocer dispositivos, programas, aplicaciones que se usan y para qué se usan. Este ejercicio permite también conocer si los mismos dispositivos son usados para trabajo o actividades personales.

Descripción: Se pide a los/las asistentes que dibujen su día al lado de las tecnologías que ocupan (no sólo las de trabajo sino las que usan cotidianamente; por ejemplo, aplicaciones biométricas o de esparcimiento, como las de citas o sitios de taxi). Hay que mencionar que con esta actividad se busca una narrativa, así que para las personas que no se sienten tan cómodas dibujando, pueden escribir un texto.

Sugerencia: Antes de iniciar las presentaciones de los dibujos, podría ser útil dividir la primera columna del papel kraft en cuatro secciones: “Celular”, “Computadora”, “Celular+Computadora” y “Otros dispositivos”, para apuntar los usos de la tecnología bajo el tipo de dispositivo que más le corresponde.

Posteriormente, cada participante describe su dibujo. Mientras lo hace, un miembro del equipo de facilitación va apuntando en la primera columna de papel kraft los "Usos de la tecnología" que debe reflejar el dispositivo/aplicación y su uso, por ejemplo:

* Yo uso la alarma de mi celular para despertarme por la mañana.
* Uso mi computadora para escuchar música en Spotify.
* Utilizo una aplicación en mi celular para cuantificar mi pasos diarios.
* Uso Whatsapp en mi celular para compartir audios con mis colegas.
* Uso Dropbox para respaldar documentos de mi computadora.

Dependiendo de la cantidad de asistentes, no es necesario que todos/as expongan su dibujo; en todo caso, se puede pedir a algunos/as que lo hagan y después que el resto complemente si tiene algún uso que no se ha mencionado.

También cuando se sabe que hay aplicaciones que sirven tanto en el celular como en una computadora o tableta, hay que indagar si se usa sólo en un dispositivo o en todos.

Al final del ejercicio, tendremos una lista de usos de la tecnología.

====Actividad: ¿Qué información se produce?====
Tiempo estimado: 45 minutos

Objetivo: Detallar para cada uso de la tecnología, la información que se produce.
Descripción: Indicar para cada uso de la tecnología la información que se produce. Aunque parezca obvio, es necesario explicar a qué información se refiere. Por ejemplo, en el caso de una fotografía, la información que se produce no es en sí mismo el archivo digital que lo contiene, que puede ser un archivo .jpg o .png, sino lo que está en la foto; por ejemplo, qué es lo que fue tomado (un paisaje o personas), en qué momento, en qué lugar, etc. En el caso de una aplicación para taxis, la información que se produce va desde origen y destino, hasta frecuencia o forma de pago. Esta es una buena oportunidad para introducir el término '''Metadatos''' e incluirlo en el glosario. En este ejercicio es muy importante que se llegue al mayor detalle posible. La actividad se desarrolla completando la segunda columna de papel kraft con la información que se produce según el uso de la tecnología que se haya mencionado.

Al final del ejercicio, tendremos la lista de la información que generan la organización y sus integrantes.

====Actividad: Lluvia de actores====
Tiempo estimado: 30 minutos

Objetivo: Generar una extensa lista de actores que podrían tener un interés personal, político y/o económico de la información que la organización y su equipo de trabajo producen.

Descripción: La actividad consiste en discutir qué actores podrían estar interesados en cada información que se ha colocado en la lista. En esta actividad se tienen que verter todos los actores hipotéticos, sin descartar alguno, ya que en las siguientes actividades se podrán evaluar la motivación y recursos para quedarse con una lista más acotada.

Cabe explicar que la invitación es pensar en actores internacionales, nacionales, locales, políticos, grupos religiosos, periodistas, incluso en quienes pudieran tener algún tipo de interés personal, como particulares que tengan alguna inconformidad con el personal o la organización.

Durante la actividad se conecta a cada actor con la información que le podría interesar, usando plumones de colores por actor o usando estambre o hilo grueso para cada conexión. El equipo de facilitación, sin imponer puntos de vista, puede aportar información resultante de la investigación de contexto.

Tendremos una lista de actores relacionados con la información que produce la organización al finalizar el ejercicio.

====Actividad: Acotando actores====
Tiempo estimado: 40 minutos

Objetivo: Determinar actores que, además de tener motivación, podrían contar con los recursos necesarios para tratar de obtener información de la organización sin su consentimiento.

Descripción: Durante la actividad se discute sobre los actores mencionados: si cuentan con recursos o si se conoce que han implementando prácticas de vigilancia y/o espionaje. Se consideran recursos, no solo económicos, para poder llevar a cabo una acción: tener conocimientos, personas que pudieran ayudarles, relaciones con personas poderosas.

El equipo de facilitación debe aportar elementos sobre los diferentes tipos de recursos que se necesitan para intentar obtener información de la organización; por ejemplo: el robo de los equipos de cómputo, colocación de antenas falsas de celular, envío de malware (recordar que todos los términos nuevos se deben poner en el glosario, invitando a los participantes a escribir también).

El equipo de facilitación puede proveer de contexto sobre el marco legal y antecedentes de la vigilancia, para señalar cuáles actores están legalmente facultados para llevar a cabo la vigilancia; capacidad política o social/económica de influir sobre políticos y accesibilidad de la tecnología de vigilancia (capacidad técnica y económica).

Hay que recordar que este ejercicio tiene que ver con la percepción de cada participante, por lo que no es indispensable llegar a consensos, aunque es útil, y se puede dejar una anotación sobre las diferentes opiniones.

Con el ejercicio concluido, tendremos una lista acotada de actores que tienen capacidad de vigilancia, con interés en el trabajo de la organización.

====Actividad: El semáforo de la información====
Tiempo estimado: 40 minutos

Objetivo: Determinar qué información se considera sensible.

Descripción: Sobre la lista de información que la organización produce, para cada dato que pueda ser de interés para algún actor que se encuentra en la lista final de la actividad '''5''', se pregunta: ¿Qué harían los actores si obtienen la información? ¿Qué tan grave sería esto para la organización (sus campañas, la seguridad de sus contrapartes, la seguridad de las víctimas que acompaña, la seguridad de los integrantes de la organización, la reputación de la organización, su seguridad económica, etc.)? Si las consecuencias serían graves, poner un punto rojo. Si son consecuencias que llevan un costo importante para la organización pero son superables, un punto amarillo. Si es preferible que no ocurra pero el impacto sería mínimo o nulo, un punto verde.

Sugerencia: Insistir con los/las participantes que antes de elegir el color de semáforo justifiquen bien la elección. Por ejemplo, describiendo una situación hipotética y realista de la posible consecuencia o citando un caso parecido que haya sucedido, explicando cuál sería el impacto para la organización. Requiriendo una explicación de la propuesta de color de semáforo se fomentan la discusión y el debate entre los participantes, ayuda a que los resultados finales del diagnóstico estén realmente consensuados.

Al concluir la actividad, tendremos una lista de la información que se tiene que proteger de la vigilancia: todos los datos que tienen puntos rojos o amarillos.

====Actividad: Puertas y candados para la información====
Tiempo estimado: 15 minutos

[[File:16_ManualSD_TR.png|400px]]

Objetivo: Describir los mecanismos de protección que existen sobre la información sensible de la organización.

Descripción: Para toda la información que tiene que protegerse de la vigilancia, teniendo a la lista de “usos de tecnología” como referencia, preguntar dónde se encuentra esta información y cuáles medidas se han tomado hasta ahora para resguardarla y/o limitar el acceso de terceros a ella (llave, cifrado, contraseña, ubicación, temporalidad, nada, '''respaldos''', etc.). Apuntar las respuestas.

En esta actividad es necesario tratar de recuperar los saberes intuitivos que los miembros de la organización usan. Algunos no tendrán base alguna y puede ser un momento adecuado para eliminar falsos supuestos, pero en otros es posible sorprendernos con las estrategias que la gente desarrolla.

Al terminar el ejercicio, tendremos una lista de los usos de la tecnología por parte de la organización y sus integrantes, los cuales requieren la incorporación de mejores prácticas y herramientas de seguridad digital.

====Comentarios de cierre del trabajo colectivo====
Tiempo estimado: 15 minutos

Para poder concluir la sesión grupal se pregunta a los/as asistentes si en su percepción han tenido incidentes de seguridad en general y digital, en particular. Después, si se siente ansiedad o malestar en el grupo, hay que tratar de generar un diálogo sobre la importancia del diagnóstico como primer paso, proceso que nunca será perfecto sino que estará en transformación constante pero que será útil. Se puede recurrir a alguna dinámica corporal que ayude con el estrés.

[[File:22_ManualSD_TR.png|600px]]

Para cerrar, se explica que el siguiente paso es la revisión del ambiente físico y de los equipos de cómputo, enfatizando que no se trata de un análisis forense y que tampoco será el momento de instalar programas o arreglar problemas que se presentan, sino una mirada '''a vuelo de pájaro''' de estructura de la información que se guarda, programas, estado de antivirus. Hay que reforzar que no será un análisis que violente la privacidad, puesto que para algunas personas mostrar sus equipos de cómputo puede ser como mostrar el clóset de su habitación o el cajón que está al lado de la cama. También se aprovecha para recordar la importancia de contar con la total asistencia de quienes participarán en la sesión de retroalimentación de los hallazgos preliminares.

[[File:23_ManualSD_TR.png|left|450px|Celulares]]
Probablemente, un análisis más exhaustivo incluiría la revisión de móviles pero, a partir del análisis de las computadoras y de la actividad sobre usos de la tecnología, se pueden inferir muchas de las vulnerabilidades. Lo que se busca es no exponer a las personas en su intimidad. Concluyendo la sesión hay que recordar que la información deberá guardarse en un lugar seguro.

''Nota: Dependiendo del tiempo, se recomienda tomar uno o dos descansos.''

=== Análisis del ambiente físico y de los equipos de cómputo ===
[[File:17_ManualSD_TR.png|right|350px|Ambiente]]La seguridad digital depende también de las condiciones ambientales en las que se usan los dispositivos. Por tanto, es pertinente realizar una evaluación sistemática de algunos aspectos específicos de las instalaciones de trabajo, incluyendo:

a) La facilidad para acceder a la oficina: cuántas puertas y ventanas tiene y si están bien protegidas, si es fácil acceder desde alguna construcción vecina, etc.

b) Si la oficina cuenta con portero y si se cumple el protocolo acordado con él para el ingreso.

c) La existencia de alarmas y cámaras de seguridad. En caso de contar con cámaras, hay que asegurarse que funcionan y si graban. En ese caso, preguntar la existencia de protocolos para revisar los videos. También si tienen una pila para la alarma, en caso de un corte de energía eléctrica.

d) Si en la oficina hay espacios que se cierran bajo llave, conocer quiénes tienen las llaves y acceso a qué espacio. Si hay archiveros, también saber quiénes.

e) Otro aspecto a evaluar es si se recibe a gente externa a la organización en una sala en particular, y si los/as visitantes podrían desde ahí dirigirse fácilmente a otra área dentro de la oficina (se busca saber si es posible robar equipos o dejar un dispositivo tipo keylogger).

f) Estado de la construcción, especialmente si hay humedad, y si las conexiones eléctricas están en buen estado. También verificar si hay sobrecarga de dispositivos en una misma conexión y si se usan reguladores.

Como parte de esta revisión general hay que observar si las computadoras están conectadas usando una red inalámbrica o por ethernet, la configuración de la red, la fortaleza de la contraseña de la red inalámbrica, si el módem ha cambiado su configuración de origen y la compañía que ofrece el servicio.

Para la revisión de los equipos de cómputo hay que recordar que no se trata de un análisis forense y la profundidad con la que se realice depende de los conocimientos técnicos del equipo de facilitadores y el tiempo. En caso de sospechar la presencia de '''malware''', si se quiere documentar para tomar acciones legales, es mejor no trabajar sobre el equipo y generar una copia. Por sí mismo, esto es un trabajo independiente, pero si se requiere se puede iniciar con un sistema en vivo GNU-Linux (el comando ''dd'' puede ser una opción).

Considerando el tiempo promedio que requiere el análisis de las computadoras, recomendamos intentar hacer al menos 10 equipos que correspondan a las diferentes áreas de trabajo, ya que lo que se pretende es tener una muestra lo más completa posible.

El análisis de las computadoras se concentra en tres puntos: a) vulnerabilidades en los equipos por ausencia de antivirus, desactivación de firewall o falta de actualizaciones de seguridad; b) instalación y uso de programas que tienen vulnerabilidades, malware, adware u otro tipo de software malicioso; c) exposición por uso del navegador de internet.

Para poder evaluar los puntos anteriores, en el caso del sistema operativo Windows, desde la terminal cmd se pueden usar los siguientes comandos: systeminfo, tasklist y wmic. Después se va al visor de eventos y se guardan los logs de eventos de seguridad, de hardware, aplicación, administrativos, instalación y sistema para una revisión rápida.

En OS X puedes usar Información del sistema y la consola para mirar los logs. En GNU-Linux hay una variedad amplia de comandos para listar programas y ver los logs.

Se revisa el estado de firewall.

Se detecta si se tiene antivirus, versión de la base de datos y logs. Si no se tiene antivirus o está desactivado se debe considerar usar una de las versiones en vivo.

Se revisa que navegador/es se usan, guardado del historial, guardado de contraseñas y plugins instalados.

'''Sugerencia''': dependiendo de las habilidades del equipo de facilitación, se puede generar un ''script'' para automatizar la revisión del firewall y de los logs.

'''Sugerencia''': Al revisar los logs también es posible automatizarlos mediante un ''script'', es importante poner atención en las direcciones IP recurrentes.

'''Sugerencia''': Puedes hacer un mapeo completo de la red para verificar equipos conectados y usuarios. Para la Wifi puedes verificar tipo de cifrado, vpn y/o vlan.

== Evaluación del día y revisión de archivos ==
[[File:18_ManualSD_TR.png|right|400px|Análisis]]
Para lograr concluir el trabajo en tiempo, el tener una breve reunión de evaluación en la que se puedan intercambiar observaciones, posibilidades para el segundo día, preocupaciones, aspectos positivos del trabajo y cómo se siente el equipo de facilitación, hará más eficiente el tiempo restante.

A partir de la reunión general y los primeros resultados de los equipos de cómputo, se puede iniciar ya la sistematización para la redacción del informe preliminar. En el anexo 1 podrás encontrar una propuesta de formato. El objetivo en general es organizar la información, considerando los riesgos encontrados y, a partir de ello, proponer una ruta de fortalecimiento en seguridad digital para la organización.

El informe debe considerar:

* Hallazgos de la evaluación del ambiente físico.
* Análisis de amenazas a la información:
a) Riesgo: Pérdida de información por fallo de hardware, robo o pérdida de hardware, o error humano

b) Riesgo: Pérdida de información por ataque de malware y

c) Riesgo: Vigilancia o robo de datos.

* Recomendaciones.

Para este momento se tendrá además mucha información que revisar y procesar. Sobre los archivos que se tienen de los equipos, hay que evaluar programas instalados y, si hay algunos que son poco comunes, investigar sobre ellos. '''En otros casos se conocen más las vulnerabilidades''', por ejemplo: en programas para comunicación por voz si usan o no cifrado en tránsito. Para los logs, lo que se necesita es una vista '''a vuelo de pájaro''', entonces se tiene que relacionar la información con lo que la gente ha manifestado que hace o detectar si se reportó algún incidente extraño. Por ejemplo, si el trabajo en la oficina es siempre matutino, será anormal encontrar que hay un reporte de inicio del sistema por la noche. También hay que familiarizarse con los procesos que comúnmente se ejecutan en los diferentes sistemas operativos para observar si hay procesos inusuales.

La profundidad con la que se logre la revisión de eventos del sistema y lista de tareas, depende mucho de los conocimientos y la experiencia que tiene el equipo de facilitación. Para introducirse en el tema es útil investigar aspectos como los programas comunes de inicio de los sistemas operativos y los códigos de errores. La idea muchas veces no es encontrar un error sino buscar patrones y anomalías.

== Día 2 ==
[[File:13_ManualSD_TR.png|left|200px|sol]] La jornada del segundo día consiste en tres etapas: 1) Primera conclusión de la revisión de los equipos de cómputo; 2) la redacción del informe preliminar; y 3) la discusión del mismo con la organización.

=== Conclusión del análisis de equipos de cómputo y redacción del informe preliminar ===

Lo deseable es ocupar entre tres y cuatro horas para terminar con la revisión de los equipos para dejar suficiente tiempo para concluir el informe preliminar (aproximadamente dos horas) y reservar unos minutos para la impresión.

En la redacción del informe hay que tener cuidado con proveer una argumentación sólida que justifique las recomendaciones. Si bien el objetivo no es redactar una explicación extensa sobre cada vulnerabilidad encontrada, en algunos casos ayudará para apropiarse de la propuesta, entender el por qué algo es considerado un riesgo. El informe debe poder hilar aspectos de contexto social, político y económico con aspectos más técnicos. También, sin minimizar los riesgos, se debe ser responsable con la forma en la que se plantean las vulnerabilidades.

Las recomendaciones deben asumir las condiciones reales de cada organización. A veces la mejor opción es la que, en efecto, se podrá implementar; de nada sirve proponer cambiar de equipos o poner un servidor interno si no hay condiciones. Sin embargo, es posible sugerir recomendaciones a largo plazo. Las propuestas deben ser claras respecto a los requerimientos para ser implementadas, incluyendo los tiempos. En nuestra experiencia, es importante poder comprometer a la organización en acciones a corto plazo que alienten su interés y visibilicen que es posible tomar algunas acciones. De tal forma, la seguridad como un paso a la vez, se fortalece con prácticas más autónomas.

En el Anexo I se encontrará se sugiere una plantilla para que facilitar el proceso de redacción del reporte preliminar.

===Presentación del informe preliminar ===
[[File:20_ManualSD_TR.png|600px]]

El tiempo estimado para esta actividad es de dos horas. Se inicia explicando que el informe es una primera versión que tiene como objetivo compartir con la organización los hallazgos y las recomendaciones, que es un momento valioso para hacer cambios por si se ha entendido mal alguna cosa o si hay información que no quedó incluida, y que se alcance un acuerdo interno con el equipo de facilitación respecto a las recomendaciones finales.

Se dan unos minutos para que cada participante lea el informe y, posteriormente, se hace una lectura colectiva, dando la oportunidad para la retroalimentación.

En la sección de recomendaciones es fundamental que quede claro lo que se propone, tiempos, y las razones por las cuales se hace cada recomendación.

Finalmente, se crea un acuerdo sobre el medio oportuno para hacer la entrega del informe final y la confidencialidad de la información, acordar como se destruye el papel kraft usado y si es necesario destruir también las copias del informe preliminar. Si aún queda algo de tiempo se puede pedir una breve evaluación de los/as participantes sobre la experiencia del diagnóstico en el ánimo de hacerlo cada vez mejor.

En el caso de que el equipo facilitador tenga que conservar algunos archivos del análisis de computadoras para un análisis más profundo, debe considerar la vía más segura para transportarlos, guardarlos y borrarlos posteriormente.

== Diagnóstico final ==
[[File:19_ManualSD_TR.png|left|300px|Informe]] La versión final del informe del diagnóstico debe incluir todos los cambios sugeridos en la reunión de retroalimentación. Su elaboración es una oportunidad para añadir una argumentación más detallada sobre vulnerabilidades, empresas, condiciones económicas y/o políticas. Inevitablemente implicaría investigación adicional para poder llenar huecos de información que no se pudieron resolver durante la actividad de análisis de amenazas, y para contar con la información más actualizada sobre las herramientas cuyas ventajas y desventajas se evaluaron. La investigación es fundamental para maximizar la pertinencia de las recomendaciones y la claridad de su justificación.

[[File:21_ManualSD_TR.png|right|300px|Envio]]El último paso en el diagnóstico es hacer llegar el reporte final a la organización. Es importante que se envíe por un medio seguro, ya que el reporte puede contener información altamente sensible sobre la organización, y también para establecer un buen antecedente al manejar cuidadosamente el transporte de información sensible.

== Recursos útiles ==

Sin duda, mantenerse actualizado sobre las herramientas y tener acceso a información que nos ayude en los proceso formativos de seguridad digital, es complicado. A continuación, listamos algunos recursos útiles, pero hay que recordar que los cambios en el tema se están dando en tiempos muy cortos, por lo que hay que buscar actualizarse y, si se tiene la oportunidad, compartir los recursos que se encuentren con la comunidad.

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual/es Manual Zen]
* [https://securityinabox.org/es/ Seguridad en una caja]
* [https://ssd.eff.org/es Autoprotección Digital Contra La Vigilancia: Consejos, Herramientas y Guías Para Tener Comunicaciones Más Seguras]
* Documentos de [https://karisma.org.co/biblioteca/ Fundación Karisma]
* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

En inglés:

* [https://holistic-security.tacticaltech.org Seguridad holística]
* [https://safetag.org/ SAFETAG]
* [https://level-up.cc/ Level-up]

==Agradecimientos ==
[[File:25_ManualSD_TR.png|300px]]

Agradecemos profundamente a Jacobo Nájera, Hedme Sierra Castro y William Vides por su revisión de la versión en español y a Alexandra Hache por la lectura de la primera versión de este documento. Agradecemos también a Mónica Ortiz por la corrección ortográfica y de estilo.

==Créditos ==
Esta guía fue escrita por [http://tecnicasrudas.org Técnicas Rudas] con el apoyo del "Institute for War
and Peace Reporting" [http://iwpr.net IWPR].

<gallery>
IWPR-LOGO.png|IWPR
LogoTR.png|Técnicas Rudas
</gallery>

Diseño: María Silva y Yutsil Mangas

==Anexo I==
[https://gendersec.tacticaltech.org/wiki/images/8/8c/Diagn%C3%B3sticoSeguridadDigital_InformePreliminar_Plantilla.odt Plantilla para el reporte final del Diagnóstico en Seguridad Digital]

==Referencias==

[[Category:How_To]]
[[Category:Resources]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:26:18Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|300px]] [[File:IWPR-LOGO.png|350px]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:26:02Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|300px]] [[File:IWPR-LOGO.png|350px]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:25:27Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|300px]] [[File:IWPR-LOGO.png|350px]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:24:08Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|right|300px||Técnicas Rudas]]
[[File:IWPR-LOGO.png|left|350px|IWPR]]

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:23:07Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|right|300px||Técnicas Rudas]] [[File:IWPR-LOGO.png|left|350px|IWPR]].

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:22:07Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting]. Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|right|300px||Técnicas Rudas]] [[File:IWPR-LOGO.png|left|400px|IWPR]].

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:20:35Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting] . Illustrated by María Silva and Yutsil Mangas.

[[File:LogoTR.png|right|300px||Técnicas Rudas]] [[File:IWPR-LOGO.png|left|400px|IWPR]].

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:19:49Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting] . Illustrated by María Silva and Yutsil Mangas

[[File:LogoTR.png|right|300px||Técnicas Rudas]] [[File:IWPR-LOGO.png|left|400px|IWPR]].

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]

Digital Security Assessment for Human Rights Organizations: A guide for facilitators

2017-09-06T18:17:59Z

Anamhoo: /* Credits */

[[File:01_ManualSD_TR.png|600px]]
== Introduction ==
[[File:24_ManualSD_TR.png|center|600px]]

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a [https://holistic-security.tacticaltech.org/ holistic security strategy].

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

==How to use this guide==

[[File:02_ManualSD_TR.png|400px]]

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

== Methodological Foundations==

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

=== Why "technopolitical"? ===
[[File:03_ManualSD_TR.png|left|350px|Tech]][[File:09_ManualSD_TR.png|riaght|350px|Tech2]]

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of [https://chupadados.codingrights.org/es/ Coding Rights]).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of [https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29 government-driven surveillance and espionage taking place on a global scale]. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the [https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html systematic use of government-purchased spyware against human rights activists and journalists].

Other examples of and practical resources on technopolitics: Everything you read by the [https://www.eff.org/ Electronic Frontier Foundation]; Tactical Tech's [https://tacticaltech.org/projects/27 Politics of Data] project; a Human Rights Watch series on [https://www.hrw.org/news/2016/03/25/digital-disruption-human-rights “Digital Disruption of Human Rights”]; research projects by the [https://www.theengineroom.org/work/=research Engine Room]; the Data&Society Institute's program on [https://datasociety.net/initiatives/data-human-rights/ Data, Human Rights & Human Security].

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

=== Transhackfeminism===
[[File:04_ManualSD_TR.png|600px]]

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.

b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of ''Pitchblende'' to obtain just one gram of the material that led her to discover the radio.

c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

=== Popular Education===
[[File:05_ManualSD_TR.png|600px]]

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) <ref>Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).</ref>

== Preparation ==

[[File:06_ManualSD_TR.png|300px]]

Though the bulk of the diagnostic is carried out ''in situ'' with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

=== Research ===
[[File:26_ManualSD_TR.png|500px]]

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the ''in situ'' participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)<ref>PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.</ref> could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,<ref>A potentially helpful resource for answering this question is ShareLab's ([https://labs.rs/en/metadata/ metadata investigation of spy company Hacking Team's email communications]).</ref> as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

* email
* instant-messaging apps
* file sharing, calendars, real-time shared document editing and other cloud services
* video conferencing
* online tech support programs
* social media platforms
* operating systems
* mobile telecommunications

=== Useful Materials===

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

[[File:08_ManualSD_TR.png|left|200px|Computer diagnostics]] For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.

===Planning and communicating the agenda===

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work ''in situ''. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

'''Day One'''

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

'''Day Two'''

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

===Planning your trip===
[[File:10_ManualSD_TR.png|400px]]

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.

===Collective care===
[[File:12_ManualSD_TR.png|600px]]

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.

[[File:11_ManualSD_TR.png|200px]]

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

===Facilitators===

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

* Systems Administration
* Analysis of ICTs, and digital security tools
* Pedagogical techniques
* Research on technopolitical topics
* Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,<ref>Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.</ref> it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.

== Implementation==

The first day of the ''in situ'' stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

=== Collective risk analysis ===
[[File:07_ManualSD_TR.png|600px]]

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

* Arrange the tables and chairs in a semicircle or U

* Distribute crayons, markers and paper on the table

* Place three long columns of kraft paper on a wall visible to all participants

* On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary

* Obtain the WIFI password in case you need to/are able to research doubts online during the session

1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

1. Listen actively and with an open mind to the contributions of others
2. Avoid monopolizing the conversation and interrupting others
3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning"
- "I use my computer to listen to music with Spotify"
- "I use an app on my cellphone that counts steps"
- "I use Whatsapp to share audio files with my colleagues"
- "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity '''5'''), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

[[File:16_ManualSD_TR.png|400px]]

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

[[File:22_ManualSD_TR.png|600px]]

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

'''Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.'''

=== Computer diagnostics and evaluation of facilities===
[[File:17_ManualSD_TR.png|300px]]

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

- Determine if the staff's computers are connected to the internet via WIFI or Ethernet
- Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured
- Determine if the modem's original configuration has been changed
- Identify the organization's internet service provider

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command '''dd''' could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
- installation of programs that contain vulnerabilities such as malware, adware and other malicious software
- the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems
2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs
3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you
4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

=== Reviewing findings ===

[[File:21_ManualSD_TR.png|left|300px|RF]][[File:08_ManualSD_TR.png|right|200px|Computer]]

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

=== Preparing the preliminary report ===

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with [https://en.wikipedia.org/wiki/Planned_obsolescence built-in obsolescence] and to opt for [https://en.wikipedia.org/wiki/Free_and_open-source_softwareopen-source and free software].

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.

=== Presenting the preliminary report ===
[[File:20_ManualSD_TR.png|600px]]

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

== Putting together the final report==
[[File:19_ManualSD_TR.png|left|300px|Report]] The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

== Additional resources ==

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

* [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual Zen Manual]

* [https://securityinabox.org/en Security In-A-Box]

* [https://ssd.eff.org Surveillance Self-Defense Security Starter Pack]

* [https://holistic-security.tacticaltech.org Holistic Security]

* [https://safetag.org/ SAFETAG]

* [https://level-up.cc/ Level-up]

In Spanish:

* Materials from [https://karisma.org.co/biblioteca/ Fundación Karisma]

* [https://es.hackblossom.org/cybersecurity/ Guía de Seguridad Digital para Feministas Autogestivas]

== Acknowledgments ==
[[File:25_ManualSD_TR.png|300px]]

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for
dedicating more than one sleepless night to helping translate the
original Spanish text of this manual into English. We would also like to
thank Sophie Elizabeth Lally and Philippa Mary Williams for their
meticulous revisions and invaluable contributions in revising and
adapting the content of the English-language manual.

==Credits==
This guide was written by [http://tecnicasrudas.org Técnicas Rudas] with the support of the [https://iwpr.net/ Institute for War and Peace Reporting] .

[[File:LogoTR.png|right|300px||Técnicas Rudas]] [[File:IWPR-LOGO.png|left|400px|IWPR]].

Design:

María Silva and Yutsil Mangas

== Appendix I: Report Template ==
[https://gendersec.tacticaltech.org/wiki/images/d/d7/DigitalSecurityRiskAssessment_PreliminaryReport_Template.odt Digital Security Risk Assesment Report Template]

== References ==

[[Category:How_To]]