Holistic security - Communications Security

From Gender and Tech Resources

Revision as of 10:56, 27 August 2015 by Eva (Talk | contribs)

Title of the tutorial Communications Security: an introduction
Attributions
Kind of learning session Holistic
Tutorial category Discussion
Duration (hours) 1h 20m
"h20m" can not be assigned to a declared number type with value 1.
Learning objectives Create understanding on how communications work and it's inherent insecurities in a non technical way.

Provide a framework for approaching digital security and communications in general.

Prerequisites This session can be an introduction to several topics with some minor modifications on the content and focus, as for example mobile security or how the internet and mobiles work.
Methodology [[Methodology::Methodology:

Activity & Discussion (Option I): What is the Internet? (20 minutes)

This activity starts off with a word-association game, similar to “What is Security”.

Step 1. Ask the participants to share words that come to their mind when they hear the word "Internet". Then the facilitator jots the words down on a flip-chart paper or a whiteboard.

Step 2. Highlight the words which arise from the group which are related to communications. The idea for the activity is to emphasize that most of the activities that we do on the Internet are largely about communications.

Activity & Discussion (Option II): The postal service. (30 minutes)

Step 1. Divide participants into three groups: two groups of human rights defenders/journalists who need to communicate with one another, and one group who are the 'postal service'. Tell participants that we are going back in time to before the internet. How did we communicate back then? With the postal service!

Step 2. Give the two groups of HRDs materials including: postcards, sheets of white and coloured paper, pens, sellotape, stickers, etc. Instruct each group that they have to send a message to the other group, and they have to use the postal service. They will need to write a message, and include the sender, recipient, etc. When the message is written, they can call the postal service to come and collect the letter and they will deliver it. While these two groups are writing, instruct the postal service group to gather as much data as possible about the messages.

Step 3. After the first round of communications is complete, allow one more, and remind the HRDs to look at the other materials to find ways of protecting their communication, if they feel it might be monitored.

Discussion: After a couple of rounds of communication, ask the postal service to report back on what information they gathered. How did they get this information? How did the HRDs attempt to protect it – what were the advantages and disadvantages of each method?

Input: Elements of a Communication process (20 minutes)

The discussion that follows after the activity will focus on the elements that compose a communication process. The main idea is to emphasize that digital security is not simply about technology and tools but largely about awareness. Security awareness should preceed tool usage.

- Sender and Receiver. The participation of the communicating parties is essential in every communication. This can be one-to-one, one-to-many and many-to-many. Remember that security is more difficult to maintain when more parties are involved. When talking about the sender and the receiver this is almost always a trust issue and no technology can provide a solution to this aspect of communication.

- Message. At first glance, the message is simply the information that you communicate. The focus is usually the content of the message, and rightly so since this is one of the main concerns when talking about security. It is important to note that information about the message is equally as important. Information about the message (information about information), called meta-data are information items that surrounds the actual message. Security for this element is both an awareness and tool concern. You might learn encryption and be good at hiding the content of your message but in the same respect you might be compromising your security by using encryption.

- Channel. A channel is the medium on which a message is conveyed from the sender to the receiver. For our purposes we will focus on internet channels and services. Internet channels can be your Internet Service Providers and telecommunication companies. Channels are largely owned by corporations and we are subject to how these channels are setup and secured by these providers of services. Services can be your email and social networking subscriptions to name a few. Most if not all internet services are subject to laws of the country where their systems physically reside and what country they are registred with as company.

- Location. Location is a very important piece of meta-data which accompanies internet communications. For any communication to take place the sender should be able to know the receiver's location and vice versa. It would would be very difficult if not impossible to communicate if you do not know the location of the individual you are communicating with. Email addresses, your social media accounts are locations on the internet, which are identified by IP addresses. These often correspond to concrete physical locations. Like houses and offices, virtual locations such as email and social media accounts can be subject to burglary and attack. This element is both an awareness and technology concern. There are tools that can help you hide your loccation and provide you some level of anonymity to hide your identity. It may be useful to accompany this with a short demonstration of Trackography so that participants can visualise how data travels across the world when we browse the internet.

- Protocol. This is how and what you use to assemble and transmit your message through a specific channel. Most protocols don't hide your identity but focuses more on the message. Examples of internet protocols would include 'HTTP' and 'HTTPS'. HTTP does not hide your message and can be seen by your channel provider or whoever has access to that channel. HTTPS on the other hand allows you to hide (encrypt) your message, so only the browser and the web server can see the message. Of course this is more complicated than this, what is important to note is that most protocols are concerned with the security of the message and not the meta data that accompanies the message.

- Context. The environment or the situation in which your message was sent and delivered. This is largely non technical but more political in most cases. Understanding your context is always helpful to determine the security of your communication. Doing a risk assessment is a first step in understanding your context and effectively secure your communication.

Deepening: Prioritising Sensitive Elements (20 minutes)

This can be an activity/exercise where the participants can provide examples for each of the elements based on the Input section above. The idea for this, is to have the participants deepen their understanding of these elements by relating these to their personal experiences and organizations that they work with.

Participants can, either individually or as a group, fill in a sheet of paper or flip-chart wherein each category (above) is marked clearly. The questions to pose for each are: Sender/receiver: which contacts are sensitive and would we rather not share that we are in touch with? Message: which particular content is most important for us to protect (even if it draws attention to us) Channel: Which channels and services do we use to communicate? Do we trust them? Can we change any of them? Location: is our location sensitive when we communicate? (when/where?)

Outline again the options which are available to increase security of the communication: Sender/receiver, location: VPN, and TOR Message: HTTPS, GPG and secure chat (Jitsi, Pidgin) Channel: Alternatives to Google etc. (Riseup, Autistici, Diaspora)

This information can be used as the starting point for deciding which technical and tool-based needs exist in the group, and later, developing a communication policy.

Synthesis

  • The internet is primarily a communicative tool. Even browsing a website is communication.
  • Protecting communication is not just about protecting the content, but meta-data may also be sensitive
  • Protecting content and meta-data can also draw attention to us]]
Number of facilitators involved 1
Technical needs Flipchart, whiteboard, postcards/paper, coloured paper, stickers, pens, markers
Theoretical and on line resources [[Theoretical and on line resources::Integrated security manual

https://myshadow.org/trackography]]