Posts Tagged ‘encryption’

Frontline’s Guide to Secure Group Chat and Conferencing Tools

July 21, 2020

With teams increasingly working remotely during COVID-19, we are all facing questions regarding the security of our communication with one another: Which communication platform or tool is best to use? Which is the most secure for holding sensitive internal meetings? Which will have adequate features for online training sessions or remote courses without compromising the privacy and security of participants?

Front Line Defenders presents this simple overview which may help you choose the right tool for your specific needs.

FLD Secure Group Chat Flowchart

Download PDF of the flow chart

Note:

  • With end-to-end encryption (e2ee), your message gets encrypted before it leaves your device and only gets decrypted when it reaches the intended recipient’s device. Using e2ee is important if you plan to transmit sensitive communication, such as during internal team or partners meetings.
  • With encryption to-server, your message gets encrypted before it leaves your device, but is being decrypted on the server, processed, and encrypted again before being sent to recipient(s). Having encryption to-server is OK if you fully trust the server.

Why Zoom or other platforms/tools are not listed here: There are many platforms which can be used for group communication. In this guide we focused on those we think will deliver good user experiences and offer the best privacy and security features. Of course none of the platforms can offer 100% privacy or security as in all communications, there is a margin of risk. We have not included tools such as Zoom, Skype, Telegram etc. in this guide, as we believe that the margin of risk incurred whilst using them is too wide, and therefore Front Line Defenders does not feel comfortable recommending them.

Surveillance and behaviour: Some companies like Facebook, Google, Apple and others regularly collect, analyse and monetize information about users and their online activities. Most, if not all, of us are already profiled by these companies to some extent. If the communication is encrypted to-server owners of the platform may store this communication. Even with end-to-end encryption, communication practices such as location, time, whom you connect with, how often, etc. may still be stored. If you are uncomfortable with this data being collected, stored and shared, we recommended refraining from using services by those companies.

The level of protection of your call depends not only on which platform you choose, but also on the physical security of the space you and others on the call are in and the digital protection of the devices you and others use for the call.

See also:

Caution: Use of encryption is illegal in some countries. You should understand and consider the law in your country before deciding on using any of the tools mentioned in this guide.

Criteria for selecting the tools or platforms

Before selecting any communication platform, app or program it is always strongly recommended that you research it first. Below we list some important questions to consider:

  • Is the platform mature enough? How long has it been running for? Is it still being actively developed? Does it have a large community of active developers? How many active users does it have?
  • Does the platform provide encryption? Is it end-to-end encrypted or just to-server encrypted?
  • In which jurisdiction is the owner of the platform and where are servers located? Does this pose a potential challenge for your or your partners?
  • Does the platform allow for self-hosting?
  • Is the platform open source? Does it provide source code to anyone to inspect?
  • Was the platform independently audited? When was the last audit? What do experts say about the platform?
  • What is the history of the development and ownership of the platform? Have there been any security challenges? How have the owners and developers reacted to those challenges?
  • How do you connect with others? Do you need to provide phone number, email or nickname? Do you need to install a dedicated app/program? What will this app/program have access to on your device? Is it your address book, location, mic, camera, etc.?
  • What is stored on the server? What does the platform’s owner have access to?
  • Does the platform have features needed for the specific task/s you require?
  • Is the platform affordable? This needs to include potential subscription fees, learning and implementing, and possible IT support needed, hosting costs, etc.

The document then proceeds to give more detailed information related to each tool/service listed in this guide

Signal – https://signal.org/

Delta Chat – https://delta.chat/

Wire – https://wire.com/

Jitsi Meet – https://jitsi.org/jitsi-meet/

BigBlueButton – https://bigbluebutton.org/

Whereby – https://whereby.com

Blue Jeans – https://www.bluejeans.com/

GoToMeeting – https://www.gotomeeting.com/

Facetime / iMessage –https://www.apple.com/ios/facetime

Google Meet – https://meet.google.com/

Duo – https://duo.google.com/

WhatsApp – https://www.whatsapp.com/

Video calls, webinar or online training recommendations

Video calls recommendations: In the current situation you will undoubtedly find yourself organizing or participating in many more video calls than before. It may not be obvious to everyone how to do it securely and without exposing yourself and your data to too much risk:

  • Assume that when you connect to talk your camera and microphone may be turned on by default. Consider covering your camera with a sticker (making sure it doesn’t leave any sticky residue on the camera lens) and only remove it when you use the camera.
  • You may not want to give away too much information on your house, family pictures, notes on the walls or boards, etc. Be mindful of the background, who and what is also in the frame aside from yourself? Test before the call by, for example, opening meet.jit.si and click on GO button to get to a random empty room with your camera switched on to see what is in the picture. Consider clearing your background of clutter.
  • Also be mindful who can be heard in the background. Maybe close the door and windows, or alert those sharing your space about your meeting.
  • Video call services may collect information on your location and activity, consider using a VPN (see Physical, emotional and digital protection while using home as office in times of COVID-19 guide).
  • It is best to position your face so your eyes are more or less at the upper third of the picture without cutting off your head. Unless you do not want to reveal your face, do not sit with your back to a light or a window. Daylight or a lamp from the front is the best. Stay within the camera frame. You may want to look into the lens from time to time to make “eye contact” with others. If you are using your cellphone, rest it against a steady object (e.g. a pile of books) so that the video picture remains stable.
  • You may want to mute your microphone to prevent others hearing you typing notes or any background noise as it can be very distracting to others on the call.
  • If the internet connection is slow you may want to switch off your camera, pause other programs, mute the microphone and ask others to do same. You may also want to try sitting closer to the router, or connecting your computer directly to the router with an ethernet cable. If you share internet connection with others, you may ask them to reduce extensive use of internet for the duration of your call.
  • It it very tempting to multitask especially during group calls. But you may very soon realise that you are lost in the meeting and others may realize this.
  • If this is a new situation for you or you are using a new calling tool, you may want to give yourself a few extra minutes to learn and test it prior to the scheduled meeting to get familiar with options like turning on/off the camera and the microphone, etc.
  • If possible, prepare and test a backup communication plan in case you will have trouble connecting with others. For example, adding them to a Signal group so you can still text chat or troubleshoot problems on the call. Sometimes it helps to have an alternate browser installed on your computer or app on the phone to try connecting with those.

If you would like to organise a webinar or online training, you can use tools outlined above in the group communication. Some of best practices include:

  • Make sure that you know who is connected. If this is needed check the identities of all people participating by asking them to speak. Do not assume you know who is connected only by reading assigned names.
  • Agree on ground-rules, like keeping cameras on/off, keeping microphone on/off when one is not speaking, flagging when participants would like to speak, who will be chairing the meeting, who will take notes – where and how will those notes be written and then distributed, is it ok to take screenshots of a video call, is it ok to record the call, etc.
  • Agree on clear agendas and time schedules. If your webinar is longer than one hour, it is probably best to divide it into clear one-hour sessions separated by some time agreed with participants, so they have time to have a short break. Plan for the possibility that not all participants will return after a break. Have alternative methods to reach out to them to remind them to return, like Signal/Wire/DeltaChat contacts for them.
  • It is easiest to use a meeting service that participants connect to using a browser without a need to register or install a special program, one that also gives the webinar organiser the ability to mute microphones and close cameras of participants.
  • Prior to the call, check with all participants whether they have particular needs, such as if they are deaf or hard of hearing, if they are visually impaired or blind, or any other conditions which would affect their participation in the call. With this in mind, ensure that the selected platform will accommodate these needs and to be sure, test the platform beforehand. Simple measures can also improve inclusion and participation in your calls, such as turning on cameras when possible, as it can allow for lip-reading.
  • Encourage all participants to speak slowly and to avoid jargon where possible, as the working language of the call is most likely not everyone’s mother tongue language. Naturally, there will be moments of silences and pauses, embrace them. They can help to support understanding and can be helpful for participants who are hard of hearing, interpreters and will also aid assistive technology to pick up words correctly.

https://www.frontlinedefenders.org/en/resource-publication/guide-secure-group-chat-and-conferencing-tools

Anti-Censorship initiative with free VPN accounts for human rights defenders

July 15, 2020

On 14 July Business-Wire reported that the VPN company TunnelBear has partnered with NGOs to give away 20,000 accounts (these NGOs inlcude Access Now, Frontline Defenders, Internews, and one other undisclosed participant).

This program aims to empower individuals and organizations with the tools they need to browse a safe and open internet environment, regardless of where they live. The VPN provider is encouraging other NGOs or media organizations across the world to reach out if they too are in need of support. “At TunnelBear, we strongly believe in an open and uncensored internet. Whenever we can use our technology to help people towards that end, we will,” said TunnelBear Cofounder Ryan Dochuk.

TunnelBear’s VPN encrypts its user’s internet traffic to enable a private and censor-free browsing experience.

By undergoing and releasing independent audits of their systems, adopting open source tools, and collaborating with the open source community, TunnelBear has proven itself to be an industry leader in the VPN space and a valuable private sector partner within the internet freedom movement. Internews is happy to support TunnelBear in extending its VPN service to the media organizations, journalists, activists, and human rights defenders around the globe who can benefit from it,” said Jon Camfield, Director of Global Technology Strategy at Internews.

Contact: Shames Abdelwahab press@tunnelbear.com

See also: https://humanrightsdefenders.blog/2020/06/23/trump-now-starts-dismanteling-the-open-technology-fund/

https://www.businesswire.com/news/home/20200714005302/en/TunnelBear-Kicks-Anti-Censorship-Initiative-Free-Accounts-Activists

Trump now starts dismanteling the Open Technology Fund

June 23, 2020

Raphael Mimoun wrote in Newsweek of 22 June 2020 an opinion piece “Dictators are Besieging Internet Freedom—and Trump Just Opened the Gates”. It is a detailed piece but worth reading:

raph-m

Last week, the Trump administration started dismantling one of the US government’s most impactful agencies, the Open Technology Fund, which supports projects to counteract repressive censorship and surveillance around the world.

The Open Technology Fund, or OTF, is relatively new, founded in 2012 as a program of the government-backed Radio Free Asia. In 2019, it became an independent non-profit reporting to the US Agency for Global Media (USAGM). Since its founding, the organization has funded dozens of projects now part of the toolkit of millions of rights advocates and journalists around the world. But OTF is now under attack: the new leadership of USAGM, appointed just weeks ago, fired the leadership of all USAGM entities, including OTF, dismissed OTF’s independent and bipartisan board of directors, and is threatening to hollow out OTF altogether….

Many of those tools help those who most need it, where surveillance, censorship, and repression is most acute. Just last month, Delta Chat declined a request for user data from Russia’s communication regulator—because the security architecture developed with OTF support meant it did not have any data to handover. FreeWechat, which publishes posts censored by the Chinese government on the app WeChat, has been visited over 7 million times by Chinese-speakers. Dozens more OTF-funded tools enable millions to evade surveillance by autocratic governments and access the open internet, from Cuba to Hong Kong and Iran.

OTF’s work is critical to human rights defenders and journalists, but it brings privacy and security far beyond those groups. OTF only supports open-source projects, meaning that the code used must be available for anyone to view and reuse……….

But OTF’s work on internet freedom isn’t limited to funding technology development. The organization takes a holistic approach to internet freedom, providing life-saving training and capacity-building to groups directly targeted by cyberattacks, harassment, and violence: LGBTQI advocates in Indonesia, journalists in Mexico, civic activists in Belarus, or exiled Tibetan organizations. OTF also funds events bringing together researchers, technologists, policy-makers, and advocates. Those gatherings—whether global like the Internet Freedom Festival or focused on specific countries or regions like the Iran Cyber Dialogue, the Vietnam Cyber Dialogue, or the Forum on Internet Freedom in Africa–have been transformative. They have helped build a tight community in a space where trust is hard to achieve. Without such events, many of the projects, tools, and collaborations to circumvent censorship and counter surveillance would not exist.

See also: https://www.theverge.com/2020/6/23/21300424/open-technology-fund-usagm-circumvention-tools-china-censorship-michael-pack

https://www.newsweek.com/open-technology-fund-trump-dismantling-1512614

European Parliament votes to restrict exports of surveillance equipment

January 22, 2018

Members of the European Parliament have voted to curb export of surveillance equipment to states with poor human rights records, following mounting evidence that equipment supplied by companies in Europe has been used by oppressive regimes to suppress political opponents, journalists and campaigners. MEPs in Strasbourg agreed on 17 January to extend EU export controls to include new restrictions on the export of surveillance equipment, including devices for intercepting mobile phones, hacking computers, circumventing passwords and identifying internet users. The proposals also seek to remove encryption technologies from the list of technologies covered by EU export controls, in a move which aims to make it easier for people living in oppressive regimes to gain access to secure communications which can circumvent state surveillance.

Dictators spy on their citizens using EU cyber-surveillance. This must stop. The EU cannot contribute to the suffering of courageous activists, who often risk their lives for freedom and democracy,” said MEP Klaus Buchner, European Parliament rapporteur. “We are determined to close dangerous gaps in the export of dual-use goods and call on member states to follow suit.”

The proposed changes to the EU dual use export control regime are likely to face opposition from the defence industry and governments, as the European Parliament, and the European Commission prepare to negotiate their implantation with Europe’s 28 member states.

European technology companies, including UK firms, have supplied equipment that  has been used for arresting, torturing, and killing people in Iran, Egypt, Ethiopia, and Morocco, according to the European Parliament. An investigation by Computer Weekly revealed that the UK government had approved export licences to Gamma International (UK) to supply mobile phone interception equipment, known as IMSI catchers, to Macedonia, when the regime was engaged in a massive illegal surveillance operation against the public and political opponents.

And the UK’s largest arms manufacturer, BAE Systems, has exported equipment capable of mass internet surveillance to countries that campaigners say regularly commit human rights abuses, including Saudi Arabia, Qatar, Oman, Morocco and Algeria. An overwhelming majority of MEPs supported reforms to the EU’s export control regime, which will require member states to deny export licences if the export of surveillance technology is likely to lead to a serious impact on human rights in the destination country. The proposed changes, backed by 571 votes to 29 against, with 29 abstentions, will impose tough requirements for EU governments.

Member states will be required to assess the likely impact of surveillance technology on citizens’ right to privacy, freedom of speech, and freedom of association, in the destination country before they grant  export licences – a significant step up from current levels of scrutiny.

The proposed rules contain safeguards, however, that will allow legitimate cyber-security research to continue. Companies exporting products that are not specifically listed will be expected to follow the OECD’s “due diligence” guidelines, if there is a risk they could support human-rights violations.

Improved transparency measures will require member states to record and make data on approved and declined export licences publicly available, opening up the secretive global trade in surveillance technologies to greater public scrutiny.

http://www.computerweekly.com/news/252433519/European-Parliament-votes-to-restrict-exports-of-surveillance-equipment

HURIDOCS not too worried about the theft of its computers – read why

December 11, 2015

huridocs-logo-transparent-240x58Last weekend, HURIDOCS office in Geneva and the office of an ally organization were burglarized; two of its desktop computers were stolen. Computers were the only stolen items at both offices, but it’s not possible to say whether the theft was specifically for information stored on the hard drives or just for the computers themselves. Either way, it states confidently in a message that they have not experienced a data breach, because both computers were encrypted and locked with strong passwords. They also didn’t lose any data, because it’s safely stored in Casebox. Here’s how to protect your information and yourself, critical for human rights defenders, in case of physical computer theft:

  1. Lock your computer with a strong and unique password. All passwords should be strong and unique, but perhaps even most importantly for your computer itself. Simple passwords are more easily hacked by ‘brute force’ (guessing until success), seen by someone glancing as you type, or determined from camera footage (that’s why Snowden typed his passwords under a blanket in Citzenfour). There are some good tips for better passwords.
  2. Safeguard all passwords. Do not keep your passwords written on paper near your computer. A multitude of secure passwords will be impossible to keep in mind, so we recommend using a password manager like KeePassX instead; KeePassX also rates the strength of your passwords.
  3. Consistently lock your screen when you step away. Theft can happen very quickly and obviously, unexpectedly. Encrypt your hard drive. If it’s encrypted, no one else can read it. Check your settings in Filevault on Mac and Bitlocker or Veracrypt on Windows.
  4. Regularly back up your encrypted hard drive to another location. If your computer is stolen, you’ll still have all of your information. If you use a password manager like KeePassX, your backup will include a locked file containing all of your passwords. To further protect yourself against privacy breaches and malicious threats, we also recommend to: Scan your hard drive for viruses at least once a week with updated antivirus software like Sophos or Avast.
  5. Update your computer’s operating system and all critical software as soon as updates become available. These updates are often to better protect you from breaches. Set up two-factor authentication and two-step verification on all critical accounts like email, social networks, Apple ID, and shared workspaces. Change your passwords often.

HURIDOCS conclusion: If you’ve taken the above steps and your computer is stolen, you won’t need to worry about your data being stolen along with it. We strongly recommend all human rights defenders take these precautions.

 

https://www.huridocs.org/2015/12/steps-to-protect-your-data-computer-theft/

Bahaa Nasr teaches cyber security to Syrian opposition against their digital enemies

February 10, 2015

Forbes of 2 February 2015 carries an interesting piece by Thomas Fox-Brewster about Bahaa Nasr, a man who “Is Teaching Syrians To Defend Themselves Against Their Many Digital Enemies“.

After a description of recent attacks on opposition forces of the Syrian regime, the article – which does not distinguish a lot between human rights defenders and armed opposition – states that those under attack are in need of better cyber awareness. “That’s where Bahaa Nasr comes in. He runs Cyber Arabs, which provides digital security training not only for Syrians but for activists, human rights defenders and journalists across the Arab world.

Bahaa Nasr of Cyber Arabs - AP Photo/Bilal Hussein

Syria, of course, has been a strong focus of our work in the past years due to the multitude of risks CSO [civil society organization) activists are facing there. While originally the main threat came from the regime and from groups like the SEA, now there is more and more concern about extremist groups like ISIS also resorting to cyber attacks,” he tells me over encrypted email.

He notes one of the most common techniques is social engineering, as the opposition has come to realise. But there are also targeted malware attacks, such as those allegedly launched by ISIS.

Then there are cruder methods at play in Syria’s information war. “Checkpoints are also a problem in many places where they often confiscate computers and mobile phones and thus gain access to data and accounts and new entry points for social engineering attacks,” Nasr adds.

He claims Cyber Arabs has helped around 500 activists, journalists, human rights defenders and citizen journalists from 17 Arab countries. At least 200 were from Syria. Training takes place in person and online, covering general digital hygiene: recognising and avoiding phishing attacks or social engineering attempts, good password practices, learning about different kinds of malware and how to improve the security of social media accounts. Cyber Arabs also teaches use of tools tailored for people’s needs, including secure email and instant messaging, and encryption. There’s an Android app to help stay up to date on the latest threats in the region too.

Nasr has been working closely with a range of influential groups, including Citizen Lab, a research collective based in Toronto, which focuses on digital attacks on activists. John Scott Railton, a member of Citizen Lab, described Cyber Arabs’ work as simply “amazing”. With such help available to Syrians, it’s hoped they won’t suffer from smart online offensives on their systems as they try to bring an end to a horrific, protracted war.”

This Man Is Teaching Syrians To Defend Themselves Against Their Many Digital Enemies.