Welcome to Security in-a-box!

Advocates and human rights defenders are increasingly concerned about their digital security, and with good reason. While computers and the Internet can be extremely powerful tools for advocacy, they also present new risks for a group that is already, in many cases, quite vulnerable. As more advocates have begun to rely on digital technology to achieve their outreach, data-collection, information design, communication and mobilisation objectives, these risks have become more severe.

If you are an advocate who focuses on sensitive issues, or somebody who works closely with one, you have no doubt experienced or heard stories about digital security and privacy threats. Computers and backup drives that were confiscated, passwords that changed mysteriously, local websites that were hacked or overloaded by malicious Internet traffic, foreign websites that can no longer be accessed and emails that appear to have been forged, blocked, modified or read by someone other than the intended recipient. These are true stories, and many of them are set in an environment that makes matters even worse, an environment in which computer operating systems are frequently out-of-date, software is often pirated and viruses run rampant.

This toolkit provides explanations of, and solutions for, threats like these. It was created by a diverse team of experts who understand not only the conditions under which advocates work, but also the resource restrictions they face.

While Security in-a-box is designed primarily to address the growing needs of advocates in the global South, particularly human rights defenders, the software and strategies in this toolkit are relevant to digital security in general. It has something to offer anyone who works with sensitive information. This may include vulnerable minorities, independent journalists or 'whistle-blowers', in addition to advocates working on a range of issues, from environmental justice to anti-corruption.

How to use the Security in-a-box Toolkit

This toolkit has three major components:

  • the How-to Booklet
  • the Hands-on Guides
  • a selection of freeware and open source software

The How-to Booklet is designed to explain the issues that you must understand in order to safeguard your own digital security. It seeks to identify and describe the risks you face and help you make informed decisions about how best to reduce those risks. To this end, it answers eight broad questions related to basic security, data protection and communication privacy.

At the beginning of each chapter, you will find a background scenario populated by fictional characters who will reappear in brief conversations throughout the chapter in order to illustrate certain points and answer common questions. You will also find a short list of specific lessons that can be learned from reading the chapter. It is a good idea to scan through this list before you begin reading. As you work through a chapter, you will encounter a number of technical terms that link to definitions in a glossary at the end of the booklet. You will also find references to the specific software discussed in the toolkit's Hands-on Guides.

Each Hands-on Guide explains how to use a particular freeware or Open Source software tool. They highlight potential difficulties, suggest helpful tips and, most importantly, walk you through the process of configuring and using these tools securely. They include screenshots and step-by-step instructions to help you follow along.

All of this software can be installed directly from the Hands-on Guide or downloaded free of charge from the tool developer's website. In most cases, you can install a tool simply by clicking on the appropriate link at the beginning of whichever guide describes that tool, then telling your browser to Open or Run the install program. If a Hands-on Guide provides special installation instructions, you may have to save a file to your Desktop, or some other location, in order to install that tool.

The Security in-a-box toolkit also includes a section called Portable Security, where you will find 'portable' versions of a few important Security in-a-box tools. These versions are meant to be installed directly onto a USB memory stick so that you can use them from any computer.

Any single chapter or guide in this toolkit can be read individually, formatted in your browser for easy printing, or shared electronically. However, you will get more out of Security in-a-box if you can follow the relevant links and references that are scattered throughout both the booklet and the software guides. If you have a printed copy of the How-to Booklet, you should keep it front of you while you work through the Hands-on Guides. You should also remember to finish reading the How-to Booklet chapter covering a particular tool before you begin relying on that tool to protect your digital security.

Where possible, you should read the chapters of the How-to Booklet in order. Security is a process, and there is often little point in trying to defend yourself against an advanced threat to your communication privacy, for example, if you have not yet ensured that your computer is free of viruses and other malware. In many cases, this would be like locking your door after a burglar is already in your home. This is not to say that any one of these eight topics is more important than any other, it is simply that the later chapters make certain assumptions about what you already know and about the state of the computer on which you are about to install software.

Of course, there are many good reasons why you might want to work through these chapters out of sequence. You might need advice on how to back up your important files before you begin installing the tools described in the first Hands-on Guide. You might find yourself faced with an urgent privacy threat that justifies learning How to protect the sensitive files on your computer, which is covered in Chapter 4, as quickly as possible. Perhaps you are working from an Internet café, on a computer whose security is not your responsibility and from which you do not intend to access any sensitive information. If you want to use this computer to visit a website that is blocked in your country, there is nothing to prevent you from skipping ahead to Chapter 8: How to remain anonymous and bypass censorship on the Internet.

Whatever path you take through the toolkit, we hope it answers some of your questions, helps you understand some of your vulnerabilities and shows you where to look for solutions.

About the Security in-a-box Project

Digital security and privacy threats are always unique to the work that an advocate does and the environment in which that person operates. Furthermore, the collection of software that might help address those threats is constantly changing, and the tools themselves are frequently updated. For these reasons, it is extremely difficult to create an 'off-the-shelf' toolkit like Security in-a-box. Nothing stated in this toolkit is absolute, and there is no replacement for a trusted, local expert who understands the environment you work in, is sympathetic to your cause and can help you identify the most up-to-date tools with which to protect yourself.

Nevertheless, we hope that Security in-a-box will give you an idea of the relevant issues and the right solutions for your own particular situation. We have worked with experts from all over the globe to peer-review the tools and tactics that make up this toolkit. This booklet offers the very best advice that we could assemble without being able to look at and respond to your unique circumstances.

The software that we selected was researched, tested and, in many cases, localised into additional languages by a diverse team of security experts, advocates, human rights defenders, translators and software engineers in collaboration with the Tactical Technology Collective and Front Line Defenders. These tools featured prominently in a number of security trainings that were held as part of the Security in-a-box project, trainings that served not only to strengthen the security and privacy of advocates throughout the world, but also to confirm the appropriateness of the tools selected and to verify the accuracy of the Hands-on Guides.

As of this booklet's publication, the entire toolkit is available in thirteen languages: Arabic, Burmese, English, French, Mandarin, Persian, Russian, Spanish and Vietnamese (other languages are in preparation). It exists both as a printed toolkit, and on the Security in-a-box website, at www.securityinabox.org. Please write to security@ngoinabox.org if you would like to request a printed version, distribute or translate the toolkit, or talk to us about training.

Tactical Tech and Front Line Defenders are dedicated to making this toolkit as useful as possible for advocates, and to ensuring that future versions are even better. To do so, we rely heavily on your feedback. Your stories about the toolkit--how you use it, what you find useful and what you don't find useful--will help us get it right. They will also help us raise funds for the further development of this project. Please send us your comments, stories and ideas to security@ngoinabox.org.