Digital Security in the face of ISIS
In December 2015 and January 2016, I travelled to Iraqi Kurdistan to conduct a digital security training with human rights defenders (HRDs) there. The HRDs I worked with urged me to extend my trip, and to hold a digital security consultation with defenders in the nearby, but highly vulnerable, city of Dohuk.
Located just one hour north of the Islamic State (ISIS) stronghold city of Mosul, Dohuk has been flooded by internally displaced persons (IDPs) fleeing ISIS advances in the region and is highly susceptible to an attack by ISIS militants. The HRDs, journalists and individuals documenting the human rights abuses there are particularly at risk of both physical and cyber attack because the sensitive information they are documenting exposes the abuses committed by ISIS. It was clear from what my local contacts were telling me that these activists would benefit greatly from digital security training and advice.
Upon arrival at Dohuk, I met with a number of local human rights organisations. Many of them recommended that I visit one of the main IDP camps on the outskirts of the city. A pattern was developing – every HRD I met with urged me to meet with yet another group of HRDs, each believing their colleagues elsewhere to be even more at risk than they were.
IDP Camp in Dohuk
Heeding their advice, I visited an IDP camp filled with people from the persecuted Yazidi minority. The Yazidis practice an ancient religion that extremists denounce as 'devil worship'. ISIS has viciously targeted, killed, and displaced the group. In August 2014, ISIS fighters laid siege to the Iraqi city of Sinjar and the surrounding villages, a district predominantly inhabited by the Yazidi people. They executed thousands, abducted over 5,000 and forced upwards of 400,000 to flee their homes during what has been called a 'forced conversion campaign'. Under the Islamic State's interpretation of Islamic Law, Yazidis are officially given the choice to convert to the militants' brand of Sunni Islam or die.
For the displaced Yazidis who survived the attack, they have received assistance from local HRDs in the IDP camp. HRDs document the abuses the Yazidi people have endured and witnessed when forced to flee their homes. HRDs hope that this documentation will be used to prosecute ISIS fighters for war crimes and human rights abuses in the future.
Some of the Yazidis who reach the camp are young women and girls who have managed to escape from their captors and who give harrowing accounts of the abuse they suffered within ISIS's self-proclaimed caliphate. According to these reports and others, systematic rape and sexual enslavement of non-Muslim women is actively encouraged within the ISIS controlled territories, and there is even a market where girls are bought, sold and traded among fighters as commodities and rewards.
Arriving at the camp I initially performed a digital security risk assessment to determine the level of security currently in place. Given the proximity of the camp to the ISIS bastion at Mosul and the highly sensitive nature of the information being gathered on location, I expected the security to be relatively extensive.
I discovered however, that there was virtually no digital security in place. Sensitive information was being stored on insecure devices with no information back-up, no encryption, no secure communication channels and no use of pseudonyms. Everything was open and readily available to any hacker or a physical theft. The HRDs were exposing themselves to digital and physical attack, and exposing the victims whose testimonies they document to re-victimisation if the information were to be stolen.
Yazidi IDPs in Dohuk
Some of the young women who have managed to flee from ISIS have recounted very specific, highly sensitive testimonies. These accounts detail the names, positions and locations of militants within the ISIS ranks. Some accounts identify people within the Iraqi military who have cooperated with and sold information to the fighters. I learned of at least one victim's account which pinpointed the location of an ISIS training field and military equipment store. This information and the names of the victims and perpetrators should have been treated as highly confidential.
Working with the HRDs on digital security training for three full days, I introduced them to a wide range of security tools and programs. During this time we worked together to encrypt sensitive files, establish secure communication channels, create protected information back-ups and restrict the storage of highly sensitive information to a limited number of computers with controlled access.
When I began working, it quickly became apparent that this was the first time the HRDs had been introduced to digital security and that they were not aware of its importance. Their initial response was that their work is open and public and that they publish their findings online and have nothing to hide. However, when we discussed some of the possible consequences to the victims and the HRDs if ISIS or corrupt officials were to have access to the names, dates and locations they were documenting, they realised that there was a considerable risk.
The HRDs working at the camp are motivated by the experiences of the victims; they could see that increasing their digital security would help to protect the victims further. I gave them examples from my work across the Middle East of scenarios when poor digital security has resulted in very difficult and dangerous physical risk to human rights defenders and the communities they work with.
As a digital security consultant I know that the key to sustainable change is developing a digital security policy and identifying a 'digital security champion'. The digital tools and tactics we use are useless if you leave the office unlocked in the evening, leave your computer open, use the same password for all accounts, or use an insecure external driver. At the camp, I identified the perfect 'champion': a lawyer with an IT background who I believe will continue to be the driving force behind the new policy and maintain the behavioural change. This 'champion' is someone that I will continue to be in contact with in the weeks and months ahead, to ensure the new digital security policies and procedures are being implemented.
Front Line Defenders works with a number of international digital security consultants to provide digital security trainings and workshops for human rights defenders at risk. This article was written by our digital security consultant for the MENA region who travelled to Iraq in December 2015 and again, in January 2016, to support Iraqi and Kurdish human rights defenders and improve their digital security capacity.
