The huge gaps in information technology which exist throughout the world also affect human rights defenders. This chapter focuses mainly on information technology - i.e. computers and the internet. Defenders without access to computers or the internet may not find some of the contents relevant now. Instead, they urgently need the necessary means and training to use information technology in the defence of human rights.
(With the collaboration of Privaterra –www.privaterra.org)
Knowledge is power, and by knowing where your potential communications security problems lie, you can feel safer while doing your work. The following list outlines the various ways in which your information or communications can be illegally accessed or manipulated, and suggests ways of avoiding such security problems.
Information doesn’t need to pass through the internet to be illegally accessed. When discussing sensitive issues, consider the following questions:
1. Do you trust the people you are talking to?
2. Do they need to know the information you are giving them?
3. Are you in a safe environment? Bugs or other listening devices are often specifically planted in areas where people assume they are safe, such as private offices, busy streets, home bedrooms and cars.
It may be difficult to know the answer to the third question, because microphones or bugs can be planted in a room to record or transmit everything being said there. Laser microphones can also be directed at windows from great distances to listen to what is being said inside a building. Heavy curtains provide some protection against laser bugs, as does installing double glazed windows. Some secure buildings have two sets of windows installed in offices to reduce the risk of laser listening devices.
What can you do?
All phone calls can be listened into if the listener has enough technological capacity. No phone call can be assumed to be secure. Analogue mobile phones are much less secure than digital mobile phones, and both are much less secure than landlines.
Both your location and your conversations can be picked up through cellular surveillance. You don’t have to be talking for your location to be tracked – this can be done anytime your mobile phone is switched on.
Do not keep information such as sensitive names and numbers in your phone’s memory. If your phone is stolen, this information can be used to track down and implicate people you want to protect.
Keep the office locked at all times, including doors and windows. Use keys that require specific authorisation to be copied and keep track of all copies. Do NOT give keys to third parties, even maintenance and cleaning staff, and make sure you or someone you trust is always present when third parties are in the office. If this is not possible, make sure you have a room with limited access where vulnerable files are kept. Consider locking all office doors and leaving non-confidential waste outside in the hallway at night.
Use a cross-cut shredder for anything confidential. Strip shredders are mostly useless. For disposing of particularly confidential material, consider burning the shreddings, pulverizing the ashes and flushing the ashes down the toilet.
1. More detailed advice on computer security is available from Front Line by contacting info@frontlinedefenders.org or from Privaterra at info@privaterra.org Lock computers away when leaving the office, if possible. Turn computer screens away from the windows.
2. Lock computers away when leaving the office, if possible. Turn computer screens away from windows.
3. Use surge protectors for all power outlets (variations in the electrical current can damage your computer).
4. Keep back-up information, including paper files, in a secure, separate location. Make sure your back-ups are secure by keeping them on an encrypted computer hard drive with a secure data back-up organisation, or secured by sophisticated physical locks.
5. To reduce the risk of someone accessing your computer, passphrase-protect your computer and always shut off your computer when you leave it.
6. Encrypt your files in case someone does access your computer or bypasses your passphrase protection.
7. If your computer is stolen or destroyed, you will still be able to recover your files if you have created a secure back-up every day. Keep the encrypted back-ups away from your office in a safe place.
8. Erased files cannot be reconstructed if you have wiped them using PGP Wipe or another utility, instead of just placing them in the computer’s trash or recycle bin.
9. Your computer can be programmed to send out your files or otherwise make you vulnerable without your knowledge. To avoid this, buy your computer from a trusted source, flatten the computer (i.e. reformat the hard drive) when you first get it, and then only install the software you want. Only allow trusted technicians to service your computer and watch them at all times.
10. Consider unplugging your computer’s phone connection/modem, or otherwise physically disabling your internet connection, when leaving the machine unattended. This way, rogue programs calling out in the middle of the night will not work. Never leave your computer on when you leave for the day. Consider installing software that will disable access after a certain set time of inactivity. This way, your machine is not vulnerable while you get a coffee or make a photocopy.
11. In your web preferences, enable file extensions in order to tell what kind of file it is before you open it. You don’t want to launch a virus by opening an executable file that you thought was a text file. In Internet Explorer, go to the Tools menu and choose Folder Options. Click View and make sure the box Hide extensions for known file types is NOT checked.
Your email does not fly directly from your computer to the intended recipient’s computer. It goes through several nodes and leaves behind information as it passes. It can be accessed all along the path (not only in/from your country!)
Someone could be looking over your shoulder as you type. This is especially problematic in internet cafes. If you are connected to a network, your email may be accessible to everyone else in the office. Your system administrator may have special administrative privileges to access all emails.
Your internet service provider (ISP) has access to your emails, and anyone with influence over your ISP may be able to pressure it into forwarding them copies of all your emails or to stop certain emails from getting through.
As they pass through the internet, your emails flow through hundreds of insecure third-parties. Hackers can access email messages as they pass. The ISP of your intended recipient may also be vulnerable, along with the network and office of your intended recipient.
Basic internet security
Viruses and other problems, such as Trojan Horses or Trojans, can come from anywhere; even friends may unknowingly spread viruses. Use a good anti-virus program and keep up-to-date with automatic online updating. New viruses are constantly being created and discovered, so check out the Virus Information Library at www.vil.nai.com for the latest virus protection patches.
Viruses are usually spread through emails, so practice safe emailing (see below). Viruses are single programs designed to replicate and may or may not be malignant. Trojans are programs designed to give a third party (or anyone!) access to your computer.
A good firewall can help you appear invisible to hackers and keep out intruders trying to get into your system. This ensures that only authorised applications can connect to the internet from your computer and prevents programs such as Trojans from sending out information or opening “back doors” to your computer through which hackers can enter.
A “key logger” system can track every keystroke you make. These programs are spread either by someone putting it onto your computer while you are away, or through a virus or Trojan that attacks your system over the internet. Key loggers track your keystrokes and report on your activities, usually over the internet. They can be defeated through passphrase-protecting your computer, practising safe emailing, using an anti-virus program, and using a mouse-guided program to type in your passphrase. Key loggers can also be disabled by physically disconnecting your computer’s internet access -usually by simply unplugging the computer’s telephone connection - when you are not using the computer.
An email address can be “spoofed” (faked) or used by someone other than the true owner. This can be done by obtaining access to another person’s computer and password, by hacking into the service provider, or by using an address that appears to be the specific person’s address. For example, by exchanging the lowercase “l” with the number “1”, you can create a similar address and most people will not notice the difference. To avoid being fooled by a spoof, use meaningful subject lines and periodically ask questions that only the true person could answer. Confirm any suspicious requests for information by following it up through another form of communication.
Keep your browsing activity private by not accepting cookies and by deleting your cache after every time you use the web. In Internet Explorer, go to Tools, then Options. In Netscape Navigator, go to Edit, then Preferences. While you’re in either of these menus, delete all your history, any cookies you may have and empty your cache. Remember to delete all your bookmarks as well. Browsers also keep records of the site you visit in cache files, so find out which files should be deleted on your system.
Upgrade all web browsers to support 128-bit encryption. This will help safeguard any information you want to pass securely over the web, including passwords and other sensitive data submitted on forms. Install the most recent security patches for all software used, especially Microsoft Office, Microsoft Internet Explorer and Netscape.
Don’t use a computer with delicate information stored on it for non-essential web browsing.
These are safe email practices which you and all your friends and associates should follow. Let them know that you will not open their email unless they practice safe emailing.
1. NEVER open an email from someone you don’t know.
2. NEVER forward an email from someone you don’t know, or which originated with someone you don’t know. All those “think happy thoughts” emails that people send around could contain viruses. By sending them to your friends and associates you may be infecting their computers. If you like the sentiment enough, retype the message and send it out yourself. If retyping it is not worth your time, it’s probably not that important a message.
3. NEVER download or open an attachment unless you know what it contains and that it is secure. Turn off automatic download options in your email program. Many viruses and Trojans spread themselves as “worms” and modern worms often appear to have been sent by someone you know. Smart worms scan your address book, especially if you use Microsoft Outlook or Outlook Express, and replicate by masquerading as legitimate attachments from legitimate contacts. PGP signing your emails, both with and without attachments, can greatly reduce confusion over virus-free attachments you send to colleagues (PGP is a software to encrypt information, please see below under “Encryption”)
4. DON’T use HTML, MIME or rich text in your email - only plain text. Enriched emails can contain embedded programs which could allow access or damage your computer files.
5. If using Outlook or Outlook Express, turn off the preview screen option.
6. Encrypt your email whenever possible. An unencrypted email is like a postcard that can be read by anyone who sees it or obtains access to it. An encrypted email is like a letter in an envelope inside a safe.
7. Use meaningful subject lines so the reader knows that you intended to send the message. Tell all your friends and colleagues to always say something personal in the subject line so you know they truly sent the message. Otherwise someone might be spoofing them, or a Trojan might have sent out an infected program to their entire mailing list, including you. However, don’t use subject lines that give away secure information in encrypted emails. Remember, the subject line is not encrypted and can give away the nature of the encrypted mail, which can trigger attacks. Many hacking programs now automatically scan and copy email messages with “interesting” subjects such as “report”, “confidential” “private” and other indications that the message is of interest.
8. NEVER send email to a large group listed in the “To” or “CC” lines. Instead, send the message to yourself and include everyone else’s name in the “bcc” lines. This is common courtesy as well as good privacy practice. Otherwise, you are sending MY email address to people I don’t know, a practice that is rude, offensive and potentially both frustrating and dangerous.
9. NEVER respond to spam, even to request to be taken off the list. Spam servers send email to vast hoards of addresses and they never know which ones are “live” – meaning that someone is using the email address actively. By responding, the server recognizes you as a “live” account and you are likely to receive even more spam as a result.
10. If possible, keep a separate computer, not connected to any other, that accepts general emails and contains no data files.
The following is a list of frequently asked questions and answers. Feel free to ask us anything else you want to know by contacting the NGO Privaterra through http://www.privaterra.org
Q: What is encryption?
A: Encryption means scrambling data into a secret code that cannot be deciphered except by the intended party. Given enough time and computing power, all encrypted messages can be read, but this can take huge amounts of time and resources. In simple terms, encryption is a way for you to secure your files and emails from spying eyes. Your files get translated into code – an apparently random collection of numbers and letters - that makes no sense to anyone who sees it.. To encrypt a file, you "lock" it with a key, represented by a pass phrase. To encrypt a message, you lock it with a key pair using your pass phrase. It can only be opened by the intended recipient, using his or her own pass phrase.
Q: Why should human rights groups use encryption?
A: Everyone should use encryption, because digital communications are inherently unsafe. However, human rights workers are much more at risk than most people and their files and communications are more sensitive. It is imperative for human rights workers to use encryption to protect themselves and the people they are trying to help.
Digital technology is a benefit to human rights groups, allowing them easier communications, greater efficiency and more opportunities. However, with any benefits come certain dangers. Just because you wear a seat belt doesn’t mean you are expected to have an accident every time you drive. Driving in a more dangerous situation, such as a race, makes you even more likely to use a seatbelt, just to be safe.
Human rights workers are known targets of surveillance. Since unencrypted emails can be accessed and read by almost anyone, it is almost inevitable that your unencrypted emails will be accessed at some point. Your messages may already be monitored by your opponents and you will never know. The opponents of people you are working to help are also your opponents.
Q: Is it illegal to use encryption?
A: Sometimes. It is perfectly legal to use encryption in most countries of the world. However, there are exceptions. In China, for example, organisations must apply for a permit to use encryption, and any encryption technology on your laptop must be declared as you enter the country. Singapore and Malaysia have laws requiring anyone wishing to use encryption to report their private keys. Similar laws are pending in India. Other exceptions also exist.
The Electronic Privacy Information Center (EPIC) provides an International Survey of Encryption Policy discussing the laws in most countries at http://www2.epic.org/reports/crypto2000/. This list was last updated in 2000. If you are concerned check with Privaterra before using encryption in a particular country.
Q: What do we need to keep our IT systems safe?
A: It depends on your system and your activities, but generally everyone should have:
But having the right software is not the whole solution. Individuals are usually the weakest link, not technology. Encryption doesn't work if individuals don't use it consistently, if they share their passphrases indiscriminately or make them visible, for example, on a sticky note pasted to their monitors. Back-up software won't save you in the event of a fire or raid if you don't keep the back-up copy at a separate, secure location. Sensitive information must be treated on a need-to-know basis instead of being shared with everyone in organisation, so you need to create hierarchies and protocols. In general, it's important to be conscious of privacy and security in your everyday activities. We call this "healthy paranoia".
Q: How do I choose which encryption software to use?
A: Usually, you can ask your friends - and confirm with us. You need to communicate with certain people and groups, so if they are using a specific encryption system, you should use it too to facilitate communications. However, check with us first. Some software packages simply don't do a good job, while others are honey pots. Honey pots lure you into using free and seemingly excellent software provided by the very people who want to spy on you. How better to read your most vulnerable communications than by being the overseer of your encryption software? Still, there are many reputable brands of both proprietary software and freeware - just remember to investigate before you use it.
Q: Won't using encryption put me at a greater risk of a crackdown?
A: No one will know you are using encryption unless your email traffic is already being watched. If so, your private information is already being read. That means you are already involved in a crackdown by those doing surveillance on you. There is a concern that those doing surveillance on you will use other options if they can no longer read your emails, so it is important to know your colleagues and implement safe back-up policies and consistent office management at the same time as when you begin to use encryption.
(Note: We have no information from cases in which the use of encryption software has caused problems to defenders. However, consider this possibility carefully before starting encryption, specially if you are in a country with a heavy armed conflict –military intelligence could suspect that you may pass relevant information from the military point of view- or if very few defender use encryption –this could attract unwanted attention on you).
Q: Why do we need to encrypt emails and documents all the time?
A: If you only use encryption for delicate matters, those watching you or your clients can guess when critical activity is taking place, and become more likely to crack down at those times. While they cannot read your encrypted communications, they can tell whether files are encrypted or not. A sudden rise in encryption may trigger a raid, so it is a good idea to start using encryption before special projects begin. In fact, it's best to ensure all communication traffic flows smoothly. Send encrypted emails at regular intervals, even when there is nothing new to report. This way, when you need to send delicate information, it will be less noticeable.
Q: If I've got a firewall, why do I need to encrypt my email?
A: Firewalls prevent hackers from accessing your hard drive and network but, once you send an email into the internet, it is open to the world. You need to protect it before you send it.
Q: No one is breaking into my office, so why should I use privacy software?
A: You don't know if someone is breaking into your system or leaking information. Without encrypted communications, physical security or privacy protocols, anyone can be accessing your files, reading your emails and manipulating your documents without your knowledge. Your open communications can also put others at risk in places where politically motivated raids are more likely to happen. If you lock your doors, you should encrypt your files. It's that simple.
Q: We don't have internet access and have to use an internet café. How can we protect communications sent from an outside computer?
A: You can still encrypt your emails and your files. Before going to the internet café, encrypt any files you intend to email and copy them in encrypted form onto your floppy disk or CD. At the internet café, sign up for an encryption service such as www.hushmail.com or an anonymity service such as www.anonymizer.com, and use these when sending your emails. Make sure the people receiving your communications have signed up for these services too.
Q: If it is that important to secure our files and communications, why doesn't everyone do it?
A: This technology is relatively new, but its usage is spreading. Banks, multinational corporations, news agencies and governments all use encryption, seeing it as a sound investment and a necessary cost of doing business. NGOs are at greater risk than companies, which most governments welcome. NGOs are more likely targets of surveillance and therefore need to be proactive in implementing the technology. Human rights workers are concerned with protecting persecuted individuals and groups. To do so, they keep files which can identify and locate people. If these files are accessed, these individuals can be killed, tortured, kidnapped, or “persuaded” not to assist the NGO anymore. Information from these files can also be used as evidence against the NGO and their clients in political prosecutions.
Q: One of our principles is openness. We are lobbying for greater government transparency. How can we use privacy technology?
A: Privacy is consistent with openness. If the government wishes to openly request your files, it can do so through proper and recognised procedures. Privacy technology stops people from accessing your information in a clandestine way.
Q:We follow all the privacy and security protocols and our information is still leaked – what's going on?
A: You may have a spy within your organisation or someone who simply cannot keep information confidential. Rework your information hierarchy to ensure fewer people have access to delicate information – and keep an especially watchful eye on those few people. Large corporations and organisations routinely disseminate different bits of false information to specific people as a matter or course. If this false information leaks out, the leak can be tracked directly back to the employee who was given the original, false information.
Dos and don'ts of using encryption
Safer Office Management
Safer office management is about creating habits. Office management habits can be useful or harmful. To develop useful office management habits, it helps to understand the reasoning behind them. We’ve put together lists of habits that can help you manage your information more safely – but only if you develop these habits and think about why they are important.
What is most important for privacy and security in office management?
Administration
Many organisations have a system administrator or someone who has administrative privileges to access email, network computers and oversee installation of new software. If someone leaves the organisation or is unavailable, the administrator can then access the individual’s information and business can continue uninterrupted. Also, this means someone is responsible for ensuring that the system software is clean and from a reputable source.
The problem is that some organisations consider this role merely as technical support and allow a third party contractor to hold administrative privileges. This administrator has effective control over all information in the organisation, and must therefore be absolutely trustworthy. Some organisations share the administrator role between the head of the organisation and another trusted individual.
Some organisations choose to collect PGP private keys and passwords, encrypt and store them securely and remotely with another trusted organisation. This prevents problems if individuals forget their password or lose their private key. However, the location where the files are kept must be absolutely secure and trustworthy, and specific and extensive protocols must be created relating to accessing the files.
The rules:
1. NEVER give administrative privileges to a third party contractor. Not only are they less trustworthy than people within the organisation, but someone outside the office may also be difficult to reach in emergencies.
2. Only the most trustworthy individuals should have administrative privileges.
3. Determine how much information should be accessible by the administrator: Access to all computers, computer pass phrases, login pass phrases, PGP keys and pass phrases, etc.
4. If you choose to keep copies of pass phrases and PGP private keys with another organisation, you must develop protocols for access.
5. If an individual leaves the organisation, his or her individual pass phrases and access codes should be changed immediately.
6. If someone with administrative privileges leaves the organization, all pass phrases and access codes should be changed immediately.
Software administration
Using pirated software can leave an organisation vulnerable to what we call the “software police”. Officials can crack down on an organisation for using illegal software, imposing huge fines and effectively shutting them down. The organisation in question gets little sympathy or support from Western media because this is not seen as an attack on a human rights NGO, but as an attack on piracy. Be extremely careful about your software licenses and do not allow software to be randomly copied by anyone in the office. Pirated software may also be insecure because it can contain viruses. Always use an anti-virus utility whenever software is being installed.
An administrator should have control over new software being installed to ensure that it is checked first. Do not allow installation of potentially insecure software, and only install software that is necessary.
Install the most recent security patches for all software used, especially Microsoft Office, Microsoft Internet Explorer and Netscape. The biggest threat to security lies within software and hardware delivered with known vulnerabilities. Better yet, consider switching to Open Source software, which doesn’t rely on the “Security through Obscurity” model, but rather welcomes security experts and hackers alike to rigorously test all code. Using Open Source software and any software other than Microsoft has the added benefit of making you less vulnerable to standard viruses and non-specific hackers. Fewer viruses are created for Linux or Macintosh operating systems because most people use Windows. Outlook is the most popular email program, and therefore the most popular target for hackers.
Email habits
Email encryption should become a habit. It is easier to remember to encrypt everything than to have a policy of when email should be encrypted and when it should not. Remember, if email is always encrypted, no one watching your traffic will ever know when your communications become more significant and delicate.
A few other important points:
Emails sent in plain text or unencrypted across the internet can be read by many different parties, if they make the effort to do so. One of these may be your local Internet Service Provider (ISP) or any ISP through which your emails pass. An email travels through many computers to get from the sender to the recipient; it ignores geopolitical boundaries and may pass through another country’s servers even if you are sending emails within the same country.
Some general tips on issues commonly misunderstood by internet users: