Digital Security and Privacy for Human Rights Defenders

1.2 Security awareness

Abstract
  1. Ask yourself, how easy is it for an intruder to gain access to your office and working space?
  2. Be aware that using a computer in an Internet café is more insecure than using a home computer.
  3. The information stored on your computer should be protected by several layers of access: the security of the computer itself, the room the computer is in and the building where you work.
  4. Know the precise physical location of your data files and any archived duplicates.
  5. Do not use an empty password or reveal it to others.
  6. Be extra vigilant when opening emails and disable the preview function in your email program.
  7. Restrict immediate access to your computer when it is unattended.

This chapter will discuss non-technical approaches to increasing the security of your information and communications. Being aware of your surroundings and thereby realising the potential threats you may be facing is the first step in your security plan. You should also understand your operational environment and have a level-headed approach to the likelihood of security incidents.

Securing your operational environment

The majority of security incidents that affect the work and livelihood of HRDs are connected with physical violence and intrusion into their working environment. Whether you work from an office, carry around a laptop or only use Internet cafés, you should at all times be aware of your capabilities and limitations. Below is a list of questions you should be able to confidently answer. For each question, imagine the worst-case scenario and think how you would deal with it.

Office environment

  • Is it easy for an outsider to access your office without permission?
  • Can the windows be broken or the door forced?
  • Do you have an alarm system, and do you trust the authorities that will respond to the intrusion?
  • Do you have a ‘waiting room’ or reception area where a visitor can be queried before entering the main office?
  • Do you have secure storage (e.g. safe) for confidential documents?
  • Do you have a secure destruction method (e.g. file shredder) for confidential documents?
  • What level of trust and access to your documents do any cleaning staff have?
  • Do you dispose of your rubbish in a way that would make it impossible for an outsider to search or access it? In this regard, how do you dispose of confidential documents?
  • Are you insured and do you have a strategy in the event of a natural disaster or theft?
  • Are your office and staff visible from outside windows?
  • How many copies of keys to your office are there and who has them?
Personal Workspace
  • Can anyone else see your computer screen whilst you are working at your desk?
  • Does anyone in the office know your password?
  • Do you store confidential information in easily accessible places at your workspace?
  • Do you restrict immediate access to your computer when you are away from your desk or office?
  • Is your PC or laptop securely attached to your workspace, or can it be easily moved?
Public environment (e.g. Internet café)
  • Does the café owner know your name and other personal details?
  • Does the café owner monitor the Internet traffic of the customers?
  • Are you confident that the computer you are using is free of viruses and spyware?
  • Can people in the café see what you are reading or typing on the screen?
  • When you are downloading files from the Internet, do they remain on the computer after you leave? How can you be sure?
  • Is the Internet browsing history recorded on the computer?
All the above questions relate to a lack of security. You may note that thoroughness will be required should you wish to secure your working environment and your information. Some of these issues can be easily solved – like purchasing a metal cable to secure your laptop to your desk. Others will require co-operation of the entire staff - like greeting visitors upon entry and querying the purpose of their visit, as well as possible financial investment - like getting insurance or buying a safe. The majority of human rights organisations operate in an open, ‘non-secretive’ manner, yet they are often responsible for the confidentiality and security of their colleagues and those involved in the cases they deal with (witnesses, victims, claimants, etc.). The ability to look at yourself from a different angle and evaluate your current security situation will go a long way towards forcing you to do something about the insecurities.
Assessing the threat to your safety and the safety of your computer must begin at the physical, real- world level. This is an area where you already have experience and expertise. Successful elimination of the risks, posed by the above questions, will provide a very important head start in the security of your digital environment. Consider this diagram, which displays different layers of security around the information on your computer. Security is all about layers to guarantee in-depth protection through the provision of barriers to access. You must build different layers of protection around important equipment and information. You need to protect access to:
  • The building or premises where your equipment and/or files are located
  • The room where your equipment and/or files are stored
  • The workspace and physical location of your computer(s)
  • Your files and data (including information on paper)
environment
Perfect security is almost never attainable. As mere humans we all make mistakes, forget important information and bypass our own security strategies due to laziness or lack of time. We must employ some common sense when considering our security. It is not my intention to teach common sense to anyone, but I would like to present a list of questions that I would personally try to answer when ensuring that my work on and off a computer is done in the least compromising way to myself and to the security of my information. Later chapters will assist you in implementing some of the strategies below, so don’t worry if some of my proposals seem too demanding at first.

Questions to ask yourself

Where is my data?

First of all, always bear in mind where your most important documents are stored. This could be on the office computer or your laptop or on your USB memory card or even on a pile of floppy disks in the cupboard somewhere. It is critical that you have a copy of this data (a backup) as accidental loss or malicious damage would put you back several years. It is also a good idea not to have too many copies of files lying around, especially if they contain sensitive information. You have one backup copy on removable media, and another on a server in a different country (that you send via the Internet). You also bear in mind all locations of the copies, to make sure that they are not too numerous to control. If your office or home is cluttered with many disks in various locations, then you cannot ensure their safety.

Who knows my password?

Do not give out your password to anyone, even though you sometimes wish it were otherwise (critical situations, deadlines – I’m sure some of you have experienced this). Work pressure often demands that something be finished first and everything else will be sacrificed for this to happen. From a security perspective, this is a risky practice. Should your password be overheard by an intruder, written down and then lost, or fall victim of an accident, you may lose access to that email account or file forever.
Using a blank password is like leaving your house unlocked overnight in a rough neighbourhood. Maybe, no one will break in, or, maybe, they will and will steal everything. On the Internet, there are programs that automatically scan for ‘open doors’ and will find yours soon enough. Several years ago, Garry McKinnon – a British hacker managed to hack repeatedly into the computer system of the US Government and the Department of Defence network by simply trying out blank or standard passwords (such as ‘admin’ or ‘password’). Supposedly, he recovered information on Extra-Terrestrials and evidence of cover-ups. He was eventually caught and faces extradition from the UK to face court in the USA.8 I have many different passwords and no two are the same. Some of them are in my head (you must get used to creating and remembering good passwords), but most are stored in my password program. When I cannot recall a password or need one of great complexity, I ask the password program to create and store it for me. But I never write them down anywhere!

Whose computer is this?

Often I access my email and work on public computers in an Internet café or a library. I cannot make sure that each computer is free from viruses, spyware, Trojans or other malicious agents. Caution must be applied to the type of information I choose to open on this or that computer. This is not to say that I do not do any work on such a computer at all – I simply prioritise to ensure I work with the information that is not security sensitive and will not be a liability if corrupted or stolen. Remember that any file that I open or any text that I read on the Internet can easily be stored for later inspection or abuse if the computer I am on has been configured for that.

Some of you may not own a computer and have to use public computers all the time. Please, bear in mind the insecurity, described above, and take steps – wherever possible – to find out (and to check) what security precautions the computer owner has undertaken.

Every computer on the Internet has a unique identifier (more on this later). If the owner of the Internet café records your name and time of visit, then do not think your Internet browsing is anonymous. It could be linked directly to you.

Who is this?

Whenever I receive a strange email or an unidentified link, I always ask myself – who the sender of this information can be. If there are any doubts as to the legitimacy of a message, I do not click on it to find out if I was right, I delete the message immediately. Unfortunately, the world of computers has come so far that it is not even necessary to double-click on something to get infected with a virus. Modern day techniques can mean that the moment you open an email or a browser you may be infected with the newest brand of some destructive program or other.
This is why caution is your best friend. Our email boxes are bombarded with lots of useless information and, apart from being annoying and time-consuming, we normally do not see it as dangerous. In 2004, the Melissa virus reportedly caused the damage of up to 1.5bl USD around the world. It was actually a worm that was embedded into an email message. When the email was read, it automatically sent itself onwards to everyone in the recipient’s address book. There was no other destructive malice involved. Yet this was enough to bring down large corporations for a long time and to make news headlines all over the planet. Disable the preview feature in your email program and if you want to read a new email from an unknown sender, make sure your virus cleaner and firewall are up-to-date. If you suspect the email is spam, delete it without opening.

Who can access your computer?

When you left your desk for the night or are stepping out for lunch, switch your computer off. Countless incidents can occur while your computer is operating and unattended. By switching the computer off, you are cutting its power supply and securing it from Internet attacks. Your BIOS or Windows security passwords are not effective if your computer is on. Some viruses lie dormant until the middle of the night, then activate your modem and dial a long distance number. It only takes a couple of minutes to boot most computers, so all you are sacrificing is a tiny bit of time while gaining a lot in security. If you are using a public computer in an Internet café or library, try and reset it after you finished working (when using Windows, do this by pressing Start > Shutdown > Restart and wait for the computer to reload). This will clear a lot of the temporary data from your session.

Do you know your environment?

The knowledge of your surroundings is crucial to your security. You should be aware of the risks and dangers that each scenario presents, and of your resources for dealing with them. Working towards electronic security should include knowledge of relevant local legislation, office workspace security, a trusted circle of friends and colleagues, technical knowledge and awareness of your own and your computer’s vulnerabilities and capacities. To prepare a better policy on security for yourself or your organisation, you need to build a threat model.