« Information Tribunal appeal decision on the "Wilson Doctrine" | Main | Information Tribunal hearing of our OGC Gateway Review case starts today »

Digital Security & Privacy for Human Rights Defenders

[via Ralf Bendrath]

The Irish based Front Line Defenders charity has published a very useful free online book, entitled Digital Security & Privacy for Human Rights Defenders (9Mb .pdf 164 pages) with text mostly by Dmitri Vitaliev, but with contributions from the likes of Privacy International, Professor Ross Anderson and Stephen Murdoch from the University of Cambridge Computer Science Laboratory etc.

UPDATE 22/03/2007: There is now a web page version Digital Security & Privacy for Human Rights Defenders manual available online, for easier access and translation.

There is some common sense guidance, spelt out clearly and simply, especially regarding physical security and the establishment of a trustworthy computing base, with an overview of topics such as circumventing web censorship, cryptology, steganography, backing up data or securely erasing it etc.

There is also practical advice on software settings for common software, with the acknowledgement that although Microsoft Windows operating systems and application software is not ideal, it is the de facto world standard, and, with care, it can be configured to provide a high degree of security and privacy, especially with the help of free tools such as those in the NGO in a Box Security Edition toolset.

We have a few minor quibbles, but, overall, this is an excellent guide to general, common sense, computer and internet security aimed at human rights workers around the world, which complements our own more modest modest hints and tips for whistleblowers, journalists and bloggers.

A few minor quibbles:

  • We would, for example, not configure our web server or web browser software to accept SSL version 2.0 connections (SSL version 3 and TLS version 1 are ok), because of inherent weaknesses, such as the possibility of a cipher strength downgrade attack which reduces the strength of the encryption to only 40 bit encryption, which is crackable in near real time on most desktop computers sold today.

  • The use of USB memory sticks or similar flash media is more convenient than , say floppy diskettes, but, the very reliability and ruggedness of these devices also makes them extremely difficult to erase securely, without resorting to physical destruction.

  • There is also no guidance on the use and possible abuse of mobile telephones, which are, of course, more common than personal computers. (see our hints and tips blog post for some ideas on this)

As the main author Dmitri Vitaliev says, security is a process, and a habit and a mindset, which, hopefully, this publication will help to stimulate and inspire people to take their own tailored precautions and conduct their own research and risk assessments, into what suits them and their associates best.

CONTENTS Introduction 1

The Problems; Security as a process; A guide to the manual

1.1 Security and Insecurity 4
Methods and trends of surveillance, censorship and electronic attacks;
Specific threats faced by human rights defenders

1.2 Security awareness 9
Securing: Your operational environment; Office environment;
Personal Workspace; Public environment
Questions to ask yourself 11

Where is my data?
Who knows my password?
Whose computer is this?
Who is this?
Who can access my computer?
Do I know my environment ?

1.3 Threat assessment and the security circle 14
Modelling risk and developing a strategic diagram;
Threat prevention;
Reactions to threats; Security circle

2.1 Windows Security 20
Operating system updates;
File Allocations;
Lock Screens;

2.2 Password Protection 26
How passwords are compromised through profiling, social engineering, brute force attacks

Creating Passwords 28
How to create passwords using mnemonics and software

2.3 Information Backup, Destruction and Recovery 30
Information backup strategies; frequent access files, non-frequent access files, system backup

Information Destruction 32
Secure and permanent data deletion;
Wiping removable devices;
Wiping guidelines

Information Recovery 34
Prevention of information loss;
Recovering lost data

2.4 Cryptology 36
History of modern cryptology;
Encrypting your computer;
Public key encryption and security;
Digital signatures;
Encryption insecurity

2.5 Internet Surveillance and Monitoring 43
How the Internet is monitored;
Threats from cookies;
Monitoring email communications;
Internet & Email Filtering 46

Filtering email for specific keywords;
Internet filtering
Internet Censorship 48
Blocking websites from access by DNS, IP, keyword blocking;
DNS hijacking

2.6 Circumvention of Internet censorship and filtering 51
Circumventing Internet censorship with proxy servers;
Different types of proxy servers, their features and advantages;
Anonymity networks;
Anonymous Internet publishing

2.7 Encryption on the Internet 59
Verifying secure Internet connection with SSL certificates;
Man-in-the-Middle attacks

2.8 Steganography 67
Linguistic Steganography - Semagrams;
Open Codes;
Covered Ciphers
Data Steganography - Hiding text in images, in audio; Steganography software;
Detecting steganography

2.9 Malicious software and Spam 75
History of viruses;
Malware variations and their effects;
Reacting to malware attacks;
Spam and prevention

2.10 Identity Theft and Profiling 82
Profiling today;
What makes up your digital profile;
How cookies are used;
Digital identity;
Authenticity and Anonymity;
Preventing profiling

3. Changes to legislation on Internet privacy and freedom
of expression affecting work and safety of Human
Rights Defenders around the world 88

3.1 Censorship of online content and Online publishing 92

3.2 Website Filtering 98

3.3 Communications Surveillance 101

3.4 Cryptology and Circumvention 104

4.1 Case Study1 - Creating a Security Policy 106
Drafting a security plan;
Components of the plan;
Case Study - developing a security plan for a human rights NGO

4.2 Case Study 2 - Communication channels 110
A human rights NGO is researching and documenting cases of torture in their country. They need to store this information securely and communicate it to the headquarters in a different country

4.3 Case Study 3 - Securing and Archiving Data 116
A human rights NGO wishes to transfer its large collection of paper documents to a computer and secure it from loss, theft and unauthorised access

4.4 Case Study 4 - Secure Email and Blogging 121
A journalist reporting on human rights violations by email and blogging fears that her messages are being censored and tampered with. She wishes to secure her online identity and communications, anonymise her Internet presence and adopt good password techniques

Appendix A. Computers explained 127
History and modernity;
How computers work;
Operating Systems;
Proprietary vs free and open source software

Appendix B. Internet explained 132
History of the World Wide Web; Internet Today;
Basic Internet infrastructure;
How email works;
Voice-over IP;

Appendix C. Internet Program settings 139
How to secure your Internet browser settings;
Internet Explorer - basic security settings, deleting temporary files;
Mozilla Firefox - basic security settings, deleting temporary files

Appendix D. How long should my password be? 146
How long does a computer or Internet password need to be in view of today's brute force attacks

Glossary 147

A proposal for the Internet Rights Charter 148


Thanks for the excellent review of "Digital Security & Privacy for Human Rights Defenders" !

Your IP address reveals your point of entry to the Internet and can be used to trace your communications back to your ISP, your employer's network, your school, a public terminal.
Use our Free Web Proxy to surf the internet anonymously at http://peak40.com

Post a comment