Last month, the government of Sudan declared a “cyber-jihad” against youth groups and other anti-government organizations organizing protests in that country. Responding harshly to earlier protests with beatings and arrests, the government of Sudan has now turned its attention to cyberspace with teams managing what the Government calls “online defense operations.” Internet agents infiltrated organizers’ websites in an attempt to determine the identities of leading activists. The result: their Facebook accounts and phone networks compromised, activists spent upwards of 12 days in jail and were subject to the brutality of security forces. Though many have been released, they are now wary of utilizing almost any organizational strategy involving telecommunications.
A recent Op-Ed in the Jakarta Post by an assistant lecturer at the University of Indonesia, Bambang Hartadi Nugroho, explains that countries with weak political legitimacy would be most apt to view internet organizing as an imminent security threat and to take action against it to preserve their grip on power.
The world has seen this theory in action with the on-again off-again disappearances of activists as famous as Egypt’s Google star Wael Ghonim in January and with other activists from countries currently experiencing unrest, such as Sudan or Bahrain. For further examples of human-centered threat removal activities, see the use of phishing, hacking, and face recognition technology in Morocco, Tunisia, Azerbaijan, Belarus, or Burma.
Governments may also enforce internet blackouts or site censorship in an attempt to remove a threat to regime survival. Most recently, the Government of Uganda attempted to block social media sites during “Walk to Work” protests against rising fuel and food prices.
So, what does this mean for you?
Those working for organizations operating in unstable environments are often aware that their sensitive communications data would be prize information for local governments to confiscate, whatever their ultimate intentions. Most of those involved in this work take numerous precautions to protect themselves and their associates. Yet threats to their (and your) information are constantly evolving.
You are working for social change in a country with weak political legitimacy. Some of your efforts may be seen as a threat to the government in power.
You need to take security precautions to protect yourself, your associates, and your movement.
Basic Precautions
HTTPS and Internet Browsing: The most basic and oft-touted security strategy that Internet users should follow, https means that messages sent from such a site are encrypted before they are transmitted, and are decrypted upon arrival at the end location. Therefore, information sent over https:// sites are less subject to interference or eavesdropping by third parties.
According to a privacy guide by digital freedom organization Access, Firefox (HTTPS Everywhere and Force TLS) and Google Chrome (KB SSL Enforcer Extension) have add-ons that force sites to use https:// mode whenever available.
Gmail has a strong reputation for privacy protection because it utilizes HTTPS as its default.
Another way to preserve your privacy and anonymity online is by using Tor. Tor is open-source software that reroutes your internet traffic through different internet users and locations. For example, without Tor, a person or organization monitoring your activity would be able to track the beginning and ending locations of the data you send and receive in addition to the websites you frequent. Tor would protect your (and your organization’s) information by disbursing some of your traffic through different locations and users, making you much more difficult to track. Tor is also a useful tool if you are in a country with restricted access to some sites. If the government of China has blocked a certain website, you may be able to view it by disguising your location so that it appears you are not inside the country.
Anti-Virus: Most people are aware of the importance of anti-virus and anti-spyware software. Just make sure that you keep up to date on recent developments in new technologies, and choose programs that come highly recommended by professionals (many recommend Avast). Firewall installation may provide some protection from hackers, and Comodo Firewall comes highly recommended. Perform scans and update your software regularly. Don’t open attachments from untrusted sources, and be careful when opening attachments from trusted sources. Finally, be careful about using USB sticks or thumb drives: spy programs and viruses love to hitch rides from one machine to another using these “trusty” little devices.
Passwords: Does your place of employment force you to use letters, symbols, and numbers? Do you have to change your password every three months or else face an embarrassing trip to the IT Department? The reason for this isn’t just that the IT Department enjoys seeing your shining face every 90 days, it’s because passwords that are longer and more complex are more difficult to break.
Unfortunately, passwords that are longer and more complex and even updated constantly are that much harder to remember. And written passwords can fall into the wrong hands all too easily. Instead, many techies recommend using KeePass, free open-source software designed to store your passwords in a safe place, protected with the most up-to-date security programming available, and locked using a master password.
While you’re at it, you can encrypt files stored on your computer using software such as TrueCrypt.
Phones: As illustrated so eloquently by a map of German politician Malte Spitz’s six months of saved phone location data, your cell phone is a tool that can be quite useful in someone else’s hands. While switched on (and sometimes while it’s off), your phone is constantly communicating location information to your service provider. Special numbers are assigned to the hardware of your phone in addition to your SIM card, and your phone is constantly readjusting signal information with your service provider. Thus the exact location of your phone, and you, can be determined at just about any time. That information is recorded and saved. Governments know this, and will try their best to access it. Remember Saudi Arabia’s attempt or the government of India’s successful push to gain access to secure BlackBerry information?
Be careful about using your phone if you have serious reason to believe that your safety might be in danger.
One other point about cell phones. Your contacts and call history can and will lead anyone searching through your phone to everyone in your network. So, just like your other girlfriend’s number and text messages (Honey, I swear that’s Mikey from the team!), you should be careful about what you do with the contact information of other in-country staff and your associates.
Emergency Deletion: We hope it won’t come to this. But, in some cases, your phone and computer may be confiscated. With the device goes your information. Hopefully your phone is password-protected and your computer files are encrypted, and your contacts are all listed as John Doe.
Some phone services offer emergency deletion kits such as the SMS Kill Pill for Treo. PC Mag offers a rundown of smartphone remote deletion applications. For computers, you can try using DiskAgent. These methods are unfortunately flawed, as they require prior installation and they would also require you to be able to “trigger” a wipe before an interested party accesses your data or reprograms your device, by which point it is already too late.
If you have a little bit of time, you can try wiping the information from your computer early (like when you first start receiving threats) using something like Eraser or Darik’s Boot and Nuke, which will overwrite your old information several times and make your deletions more permanent and secure. You can complement that with CCleaner, a software tool that erases temporary files from your computer.
Common Sense: As some people learn the hard way, you should also implement good common-sense communications rules when operating in unsafe environments. Don’t discuss sensitive information in your taxi, or in a restaurant where anyone can overhear you. Really you shouldn’t be discussing sensitive information anywhere except somewhere that you know for a fact is secure. If you are running your mouth in public and then you check into the area’s fanciest hotel, no amount of tech-savvy security tips are going to be able to hide you or what you’ve been up to.
Advanced Resources:
Some excellent security and censorship navigation guides have been published within the past few weeks that have far more in-depth knowledge than I, and to them I owe a great debt of gratitute for much of the information provided above:
“A Practical Guide to Protecting Your Identity and Security When Online and When Using Mobile Phones” by Access was published in March 2011.
Security in a Box, a set of how-to booklets and hands-on guides for security and privacy online, was developed by Frontline Defenders and the Tactical Technology Collective.
“Leaping Over the Firewall: A Review of Censorship Circumvention Tools” was published by Freedom House on April 12th, 2011.