How to secure your online collaborations
This guide is no longer being maintained
Due to the nature of the work, environmental rights defenders tend to form networks, often sharing information through online platforms with low security. Most have email groups that allow for sharing of reports, photos, evidence and other information that may be sensitive. Yahoo Groups and Google Groups are among the most commonly used.
The Yahoo mail system that forms the basis for Yahoo Groups has faced many attacks due to what analysts think of as laxity in Yahoo security policy.
Any information posted on open Yahoo and Google groups can also be accessed by anyone doing a simple Google search. Real names, email addresses, phone numbers, location and other sensitive information can often easily be found in the pages of these groups. There is no indication that defenders are taking any precautions when using these services.
Reports of attacks on rights and ERDs based on these vulnerabilities are largely unavailable, but this could be because of a lack of awareness. The mere existence of this threat should be sufficient cause for taking precautions. Secure online collaboration platforms such as Crabgrass on Riseup.net become should be considered in areas where environmental rights defenders may be at risk.
As an environmental rights defender, you will often find yourself working together with partners and needing to exchange information and documents via email. You may also be part of a network that shares information through an email group such as Yahoo Groups or Google Group. You can keep your online communication secure by taking the steps outlined below.
Securing your email
The first step to ensuring that you are communicating as securely as possible is to secure your email by:
- Choosing to open an email account with a trusted email service such as Gmail instead of Yahoo, not known for security and privacy, or Hotmail, which inserts the IP address of the computer you are using into all of the messages you send.
- If you are using Gmail or certain other web services, using two-step verification to add a layer of security to your email login. Basically, Gmail’s two-step means that once you sign in with your password, Google will send a verification code to your phone via SMS, voice call or the Google Authenticator app, depending on your choice. You must enter this code to access your account. Google Authenticator is available for Android, iPhone and Blackberry phones. This Wikipedia article explains more, and lists web services which also use two-step verification
- Creating a strong password for your email account. Find out how you can create a strong password by reading the How to create and maintain secure paswords section of Security in-a-box.
- Accessing your webmail through a browser that has added security features. Mozilla Firefox is a good free and open source browser you can use since it is more secure and can be extended to make your experience safer.
- Using a secure connection when using webmail accounts. You can learn more about secure connections, how to know if you’re on a secure connection and how you can force your browser to connect securely by reading the Keeping your webmail private section of Security in-a-box.
- Opening a secure email account which has more security features, such as Riseup.net. Riseup is free and you can find out how you can do this by reading the Switching to a more secure email account section of Security in-a-box.
- Encrypting the content of your email to protect it from prying eyes. You can encrypt your message using GPG but this might be a little difficult for those without advanced computer knowledge. An easier option would be to use Mozilla Thunderbird with Enigmail and GPG since you only have to set it up once. Find out how you can do this by reading the Encrypting and Authenticating Individual Messages section of Security in-a-box.
In January 2013, a lone hacker, Shahin Ramezany, was able to exploit a hole in Yahoo’s servers by leveraging a vulnerability – described as DOM-based XSS vulnerability – that is exploitable in all major browsers thus putting more than 400 million yahoo accounts at risk. As recently as April 2014, Yahoo mail was still being attacked due to similar vulnerabilities. – Emil Protalinski, TheNextWeb.
Securing your email groups and lists
Once your email account and communication is secure, you can then extend the protection to your email groups and lists. You can move from your current groups and mailing lists such as Yahoo and Google groups to the more secure lists provided by technology collectives including Riseup.net, aktivix.org and autistici.org depending on the level of privacy you need. However, remember that if members of the email list continue to use insecure email providers, any unencrypted content shared on the list can still be accessed and shared by these providers.
Riseup.net allows you to create a mailing list through which you can send secure emails to your partners or within your network. Anyone can create a list at Riseup, but lists have to be approved before you can use them. They usually have criteria for accepting lists, including the proviso that your list should be of “progressive, radical, or revolutionary nature.” It can take more than a week for your list to be approved but once it is approved you will be able to use one of the most secure lists available. Riseup has also developed a new tool for secure chat but as of July 2014 this is still being tested. Riseup, like other independent free services, needs donations to keep them running.
Aktivix.org provides you with the opportunity to create a mailing list to collaborate within your network using Gnu/Mailman. You can only get a list from Aktivix if you share their ideology which is clearly spelled out on their website (https://aktivix.org/more). You also need to be recommended by someone who already has an Aktivix account. If, however you don’t know such a person, you can request them to ask for recommendations from selected activists and tech collectives that you know. You are also requested to donate to keep this service running and free.
Autistici.org was started more than a decade ago. It provides internet support to activists and collectives from grassroots and social movements. Apart from mailing lists, they also provide anonymous remailing, chat, and instant messaging, among other services. The services are free but they recommend that you donate to enable them keep these services free.
To find out how to access and use the services mentioned above, you should go to their websites and read their instructions. Since we recommend Riseup.net, you can also find a brief explanation on how to get started with Riseup in the RiseUp - Secure Email Service section of Security in-a-box.
Human Rights Defender Testimonies
“In time of peace, prepare for war. We have a good government now, but we don’t know how the next regime will be like.” – Anonymous Environmental Rights Defender in Liberia.
Secure voice and chat communication
ERDs are often geographically dispersed, using Voice over Internet Protocol (VOIP) technology to hold virtual meetings and discuss sensitive issues. Skype is popular, used on both computers and smartphones. Chat, or Instant Messaging (IM), is often used for communication in real time.
The main problem with Skype is that it is a closed commercial product, and its technology is therefore not available to the public to analyse its security features and assess how safe it is. Alternative free and open source platforms whose technology is open for assessment, such as Jitsi, may be a better alternative for this community.
There are several options you can use to keep your voice and chat communications secure. We recommend Pidgin with OTR for chat, and Jitsi for voice, video and chat.
Pidgin is a free and open source instant messaging platform that allows you to manage several IM accounts in one place. It works with most IM platforms, including the chat functions in Gmail and Yahoo. Off-The-Record (OTR) is a plugin developed for Pidgin which adds more security to your Pidgin sessions. You can learn more about working with Pidgin and OTR by reading the Pidgin with OTR – Secure Instant Messaging section in Security in-a-box.
Jitsi is a free and open source program that allows you to use voice, video and chat over the internet. It works with most the popular platforms available today, including Google Talk, Yahoo and Facebook. The advantage of Jitsi is that it offers voice and video encryption, allowing you to call other activists and defenders securely. Jitsi also supports voice conference calls. You can learn how to use it by reading the Jitsi - Secure Audio, Video and Instant Text Messaging section in Security in-a-box.
Safer use of social networking sites
Environmental rights defenders, like most rights defenders, sometimes have to depend on mass information dissemination to create public outcry, urging action from governments and companies when diplomatic channels fail and legal channels are compromised.
The growth of social media platforms such as Facebook and Twitter has made them vital advocacy tools for ERDs, and most are using them to expose major transparency, rights and ecological violation activities.
The risk here is that social media profiles can also be used to monitor and locate ERDs who are targeted by either governments or companies. Sensitive information such as names and phone numbers, as well as photos of self, family and home can be extracted from social media platforms and used to piece together your movement and association patterns, making it easy for adversaries to find and harass you, arrest you or disrupt your work. Sometimes, adversaries may use your social media pages and accounts to maliciously spread propaganda and try to discredit your work.
Human Rights Defender Testimonies*"“In our campaign to fight the construction of a mega-dam and establishment of vast plantations along the Omo River in Ethiopia, activities which will drastically reduce the flow of the river and how much water comes into Lake Turkana, thus leading to catastrophic shrinkage and increase of salinity of the lake, we use both Twitter and Facebook to raise awareness and rally support for our cause. A particularly vocal supporter of the dam always attacks us on our Facebook page terming us enemies of Ethiopia and agents of the west who have been paid by Western governments to keep Ethiopians poor.” -- Anonymous Environmental Rights Defender
Increase your security when using social networking sites
To improve your security when using social networking sites, you should take a precautionary approach to how you engage with these networks. A general precaution is to be aware of how much of your personal and sensitive information you are sharing on social networks, and how this can put you and your networks at risk. A good explanation of why you should take precautions when using social media tools can be found in the How to protect yourself and your data when using social networking sites section of Security in-a-box.
You can take precautions by:
- Assessing and adjusting how you interact with social media sites: see General tips on using social networking tools, in Security in-a-box.
- Considering what information you should be sharing on social media: see the section on Posting personal details in Security in-a-box.
There are also alternatives to popular social media platforms (such as Facebook and Twitter) in development. Riseup.net, for instance is currently developing Crabgrass , a social networking and collaboration tool that, in the words of the collective, is designed to suit “the complexity of relationships that activist organizations face in the real world.” See the Crabgrass guide or read more about Crabgrass in the Riseup.net website.