Holistic security - Communications Security

From Gender and Tech Resources

Revision as of 22:43, 19 July 2015 by Eva (Talk | contribs)

Title of the tutorial Communications Security: an introduction
Attributions
Kind of learning session Holistic
Tutorial category Discussion
Duration (hours) 1h 20m
"h20m" can not be assigned to a declared number type with value 1.
Learning objectives Create understanding of how communications work and it's inherent insecurities in a non technical way. Provide a framework for approaching digital security and communications in general.
Prerequisites This session can be an introduction to several topics with some minor modifications on the content and focus. Some related sessions that this can be of use as an introduction could include:
  • mobile security
  • how the internet and mobiles work
Methodology [[Methodology::== Activity & Discussion (Option I): What is the Internet? (20 minutes) ==

Keyword identification activity. This activity starts off with a word-association game, similar to “What is Security”.

Step 1. Ask the participants to share words that come to their mind when they hear the word "Internet". Encourage participants not to 'hold back' but to respond as spontaneously as possible, without thinking

Step 2. the facilitator jots the words down on a flip-chart paper or a whiteboard.

Step 3. Highlight the words which arise from the group which are related to communications. The idea for the activity is to emphasize that most of the activities that we do on the Internet are largely about communications. There has to be some agreement with the participants that this is the case. If there are are other ideas you can proceed to have a discussion to provide further clarification and arrive at some agreement/s and consensus.

Activity & Discussion (Option II): The postal service. (30 minutes)

Step 1. Divide participants into three groups: two groups of human rights defenders/journalists who need to communicate with one another, and one group who are the 'postal service'.

Step 2. Tell participants that we are going back in time to before the internet. How did we communicate back then? With the postal service!

Step 3. Give the two groups of HRDs materials including: postcards, sheets of white and coloured paper, pens, sellotape, stickers, etc. Instruct each group that they have to send a message to the other group, and they have to use the postal service. They will need to write a message, and include the sender, recipient, etc. When the message is written, they can call the postal service to come and collect the letter and they will deliver it.

Step 4. While these two groups are writing, instruct the postal service group to gather as much data as possible about the messages.

Step 5. After the first round of communications is complete, allow one more, and remind the HRDs to look at the other materials to find ways of protecting their communication, if they feel it might be monitored.

Discussion: After a couple of rounds of communication, ask the postal service to report back on what information they gathered. How did they get this information? How did the HRDs attempt to protect it – what were the advantages and disadvantages of each method?

Input: Elements of a Communication process (20 minutes)

The discussion that follows after the activity will focus on the elements that compose a communication process. The main idea is to emphasize that digital security is not simply about technology and tools but largely about awareness. Security awareness should preceed tool usage. An informed appreciation of security awareness should guide tool usage.

- Sender and Receiver. The participation of the communicating parties is essential in every communication. This can be one-to-one, one-to-many and many-to-many. Remember that security is more difficult to maintain when more parties are involved. When talking about the sender and the receiver this is almost always a trust issue and no technology can provide a solution to this aspect of communication. This involves the actual human individuals that send and or receive the information. In some cases simply communicating with a specific individual or organisation might put your security at risk and vice versa.

- Message. At first glance, the message is simply the information that you communicate. The focus is usually the content of the message, and rightly so since this is one of the main concerns when talking about security. It is important to note that information about the message is equally as important. Information about the message (information about information), called meta-data are information items that surrounds the actual message. Meta-data includes information such as the sender and receiver, or the date an email was sent. Meta-data can reveal information that might compromise your security – such as your location or contacts. Security for this element is both an awareness and tool concern. You might learn encryption and be good at hiding the content of your message but in the same respect you might be compromising your security by using encryption. Email encryption hides the content of your messages from everybody else and only readable to your intended recipient. But, this may not hide the fact that you are using encryption. Remember that hiding information is very much different from hiding the fact that you are hiding information

- Channel. A channel is the medium on which a message is conveyed from the sender to the receiver. Spoken words can be conveyed via the air and paper mail can be sent and received via the postal service. In both these examples air and the postal service acts as the channel. There are numerous channels, but for our purposes we will focus on internet channels and services. Internet channels can be your Internet Service Providers and telecommunication companies. Channels are largely owned by corporations and we are subject to how these channels are setup and secured by these providers of services. This is largely an awareness and trust issue since we do not have a say on how these channels can be secured. Services can be your email and social networking subscriptions to name a few. Most if not all internet services are subject to laws of the country where their systems physically reside and what country they are registred with as company.

- Location. Location is a very important piece of meta-data which accompanies internet communications. For any communication to take place the sender should be able to know the receiver's location and vice versa. It would would be very difficult if not impossible to communicate if you do not know the location of the individual you are communicating with. It would not be possible to send a paper mail if you don't know the address of the intended recepient. Prior to the internet this element was largely about your physical location, i.e. you physical postal address. This no longer holds true and has extended to mean our virtual locations based on the services that we use and subscribe to on the internet. Email addresses, your social media accounts are locations on the internet, which are identified by IP addresses (Internet Protocol addresses). These often correspond to concrete physical locations. Like houses and offices, virtual locations such as email and social media accounts can be subject to burglary and attack. This element is both an awareness and technology concern. There are tools that can help you hide your loccation and provide you some level of anonymity to hide your identity.

It may be useful to accompany this with a short demonstration of Trackography so that participants can visualise how data travels across the world when we browse the internet.

- Protocol. This is how and what you use to assemble and transmit your message through a specific channel. Most protocols don't hide your identity but focuses more on the message. Examples of internet protocols would include 'HTTP' and 'HTTPS'. HTTP is the default language that allows your browser to communicate with a webserver, i.e., the way that the data from most websites is assembled and travels across the internet to your browser. HTTP does not hide your message and can be seen by your channel provider or whoever has access to that channel. HTTPS on the other hand allows you to hide (encrypt) your message, so only the browser and the web server can see the message. Of course this is more complicated than this, what is important to note is that most protocols are concerned with the security of the message and not the meta data that accompanies the message. Another thing to remember is that protocols should be known (implemented) by both the sender, receiver and channel. Your browser is 'HTTPS aware', meaning it can understand HTTPS, but the server of a website must provide HTTPS in the first place. If the web server does not provide HTTPS, then HTTPS communication will not happen. On the channel side, the channel should allow HTTPS as well for the communication to happen. Usually, most internet channels allow HTTPS but in some cases this protocol is not allowed and is filtered or blocked.

- Context. The environment or the situation in which your message was sent and delivered. This is largely non technical but more political in most cases. Understanding your context is always helpful to determine the security of your communication. Doing a risk assessment is a first step in understanding your context and effectively secure your communication.

Deepening: Prioritising Sensitive Elements (20 minutes)

This can be an activity/exercise where in the participants can provide examples for each of the elements based on the Input section above. The idea for this, is to have the participants deepen their understanding of these elements by relating these to their personal experiences and organizations that they work with.

Participants can, either individually or as a group, fill in a sheet of paper or flip-chart wherein each category (above) is marked clearly. The questions to pose for each are: Sender/receiver: which contacts are sensitive and would we rather not share that we are in touch with? Message: which particular content is most important for us to protect (even if it draws attention to us) Channel: Which channels and services do we use to communicate? Do we trust them? Can we change any of them? Location: is our location sensitive when we communicate? (when/where?)

Outline again the options which are available to increase security of the communication: Sender/receiver, location: VPN, and TOR Message: HTTPS, GPG and secure chat (Jitsi, Pidgin) Channel: Alternatives to Google etc. (Riseup, Autistici, Diaspora)

This information can be used as the starting point for deciding which technical and tool-based needs exist in the group, and later, developing a communication policy.

Alternative: This section can again be be an activity where in we map out the different elements of communication. Each or a group of participant/s can act out a specific element and identify ways to make communication insecure and also make information secure. The end of the exercise can be a short list of both insecurities and ways to be more secure.

Synthesis

  • The internet is primarily a communicative tool. Even browsing a website is communication.
  • Protecting communication is not just about protecting the content, but meta-data may also be sensitive
  • Protecting content and meta-data can also draw attention to us]]
Number of facilitators involved 1
Technical needs Flipchart, whiteboard, postcards/paper, coloured paper, stickers, pens, markers
Theoretical and on line resources xx