Digital Security Assessment for Human Rights Organizations: A guide for facilitators
From Gender and Tech Resources
Revision as of 21:07, 16 August 2017 by Anamhoo
- 1 Introduction
- 2 How to use this guide
- 3 Methodological Foundations
- 4 Preparation
- 5 Implementation
- 6 Putting together the final report
- 7 Additional resources
- 8 Acknowledgments
- 9 Appendix I
- 10 References
Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.
At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a holistic security strategy.
For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.
How to use this guide
The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.
A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".
A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.
One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of Coding Rights).
Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of government-driven surveillance and espionage taking place on a global scale. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the systematic use of government-purchased spyware against human rights activists and journalists.
Other examples of and practical resources on technopolitics: Everything you read by the Electronic Frontier Foundation; Tactical Tech's Politics of Data project; a Human Rights Watch series on “Digital Disruption of Human Rights”; research projects by the Engine Room; the Data&Society Institute's program on Data, Human Rights & Human Security.
Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.
Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:
a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries.
b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of Pitchblende to obtain just one gram of the material that led her to discover the radio.
c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization.
Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.
1) theory and practice are dialectically related
2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others
3) The world not a static reality, but a reality in process (Paulo Freire) 
Though the bulk of the diagnostic is carried out in situ with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.
a) Get to know the organization.
Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the in situ participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.
Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII) could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?
b) Analysis of the regional, national and local technopolitical context
In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services, as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.
It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.
c) Get up-to-date on programs and tools
This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.
- instant-messaging apps
- file sharing, calendars, real-time shared document editing and other cloud services
- video conferencing
- online tech support programs
- social media platforms
- operating systems
- mobile telecommunications
For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.
For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.
Planning and communicating the agenda
Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work in situ. However, the facilitators should be prepared to dedicate additional time between sessions.
We recommended the following distribution of activities over the course of 1-2 consecutive days:
Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).
Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.
Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.
It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.
Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.
Planning your trip
While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.
1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions. 2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.
In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:
- Systems Administration
- Analysis of ICTs, and digital security tools
- Pedagogical techniques
- Research on technopolitical topics
- Sensitivity in situations of high emotional stress
You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.
If the team is comprised of biological men and biological women, it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.
The first day of the in situ stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.
Collective risk analysis
Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:
- Arrange the tables and chairs in a semicircle or U
- Distribute crayons, markers and paper on the table
- Place three long columns of kraft paper on a wall visible to all participants
- On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary
- Obtain the WIFI password in case you need to/are able to research doubts online during the session
1. Presentation (Estimated duration: 10 min)
Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.
1. Listen actively and with an open mind to the contributions of others 2. Avoid monopolizing the conversation and interrupting others 3. Be courageous, share your experience and perspective
2. Activity: Around-the-clock (Estimated duration: 45 min)
Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.
Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.
After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:
- "I use the alarm on my cellphone to wake up in the morning" - "I use my computer to listen to music with Spotify" - "I use an app on my cellphone that counts steps" - "I use Whatsapp to share audio files with my colleagues" - "I use Dropbox from my computer to backup my documents"
Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.
3. Activity: What information is produced? (Estimated duration: 45 min)
Objective: Determine what information is produced as a consequence of each use of technology.
Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.
Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.
Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.
4. Activity: Actor Brainstorm (Approximate duration: 1 hour)
Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.
Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.
Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.
Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.
Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).
5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)
Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.
Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.
In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.
When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.
Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.
6. Activity: Traffic lights (Estimated duration: 1 hour)
Objective: Determine which of the organization's information is sensitive.
Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity 5), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.
Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.
Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".
7. Activity: Doors and Locks (Estimated time: 20 min)
Objective: Identify mechanisms that could help protect the organization's sensitive information.
Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.
Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.
Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:
Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.
8. Closing (Approximate duration: 20 min)
To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.
If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.
Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.
Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.
Computer diagnostics and evaluation of facilities
a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.
b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?
c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?
d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?
e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?
f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.
As part of this general review, consider the following checklist:
- Determine if the staff's computers are connected to the internet via WIFI or Ethernet - Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured - Determine if the modem's original configuration has been changed - Identify the organization's internet service provider
Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.
Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.
Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.
Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command dd could be a good option).
We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.
The main points covered in the computer diagnostics are:
- vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates - installation of programs that contain vulnerabilities such as malware, adware and other malicious software - the exposure of sensitive data due to browsing the internet
If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.
In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.
On all operating systems, perform the following steps:
1. Check the status of firewall on all operating systems 2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs 3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you 4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed
At this time, you will have a large amount of information to review and process.
In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.
Preparing the preliminary report
With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).
The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.
Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.
The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with built-in obsolescence and to opt for and free software.
Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.
Presenting the preliminary report
The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.
Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.
When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.
Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).
Putting together the final report
The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.
Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:
- Materials from Fundación Karisma
- Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).
- PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.
- A potentially helpful resource for answering this question is ShareLab's (metadata investigation of spy company Hacking Team's email communications).
- Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.