In our July 23 webinar, TABridge co-organizer Allen “Gunner” Gunn of Aspiration surveyed the conceptual and concrete steps that NGOs should take to familiarise themselves with security considerations, protect the data belonging to individuals and organisations, and improve the overall “security culture” of their organisations. You can also view a recording of the webinar and slideshow.
The current TABridge webinar series is based largely on our new guide, “Fundamentals for Using Technology” in transparency work. Host and guide author Dirk Slater introduced Gunner, who presented the group with an hour-long introduction to essentials of digital security, compiled not as a comprehensive introduction, he said, but as useful reflections with several practical recommendations.
The risks and the tools in this arena are always changing, and it’s important to think of security as a continuing process of awareness and not a fixed destination, said Gunner. A key goal of the presentation was to offer ways to get a conversation started with your organization, “to provide ways to talk about security with your peers and allies,” he said, “and give concrete steps you can take today to operate more securely.” Often this means getting past “mysterious acronyms” like PGP and OTR and creating safe, forthright conversations among your colleagues.
One reason this can be hard, he said, is that the concept of security can mean different things to different people. An organization’s IT team may be focused on “blocking incursions” onto your network and servers, while activists in the field may need to conceal “digital footprints” like locations and real names in order to save lives. Managers and NGO attorneys may think of it in terms of mitigating risks and liabilities, while general staff and others may not have these expert considerations in mind, but harbor free-floating worries that they are not working securely—and guilty that they ought to know more!
Despite these various concerns, he said improving digital security can be a hard sell at many NGOs. He cited several kinds of challenges to NGO adoption of better security practices, including:
- Utility, e.g., tools like Google Docs and gmail are powerful, free and easy to use, but they sacrifice privacy and enable broader, undetectable surveillance of critical data.
- Usability, e.g., more people would use encrypted email if PGP wasn’t so confusing.
- Productivity, e.g., conferencing on Skype or Google offers a highly efficient way to collaborate in real-time, despite privacy and security risks.
- Efficiency, e.g., security takes time, for software updates and backups and for staying educated about the latest threats.
- “Ubiquity,” e.g., Windows is the both most popular and the least secure major desktop operating system.
Two other important challenges mentioned were the “rate of change” in secure technology practices, i.e., the tools for secure and anonymous practices today may not be—indeed, probably won’t be—all that you need to stay secure tomorrow; and “denial,” meaning, some people think that because they have “nothing to hide,” they will never be targeted, which creates a number of risks, especially for groups who may be holding other people’s information along with their own, such as the names of activists in conflict regions. (For more on the tensions between security and convenience, a good expert to check out is Bruce Schneier.)
Groups should consider the differences between security, anonymity and privacy, which often are blurred together. Think of digital security, he said, as “the protection of devices, data, communications and online accounts from intrusion or attack by an adversary.” Remember that it’s a continuing process, driven by the responsibilities of both organizations and individual staffers (who might, for instance, leave an iPhone with sensitive email addresses behind on a train in Russia). It is not a static condition you or your NGO can reach. Meanwhile, digital “anonymity” is simply the ability to mask all identifying information while communicating and interacting online, and digital “privacy” can be thought of as the ability to keep data and digital activities private from surveillance. These issues overlap, he said, but are distinct.
For an NGO to gauge security risks and begin to respond, Gunner recommended that they take stock of:
- Digital assets, i.e., What information do you manage in the course of your work and who will benefit and who will face risk if others get access to it?
- Potential attackers, i.e., Each NGO has a different set of possible attackers, ranging from government agents, to law enforcement, to “opponents,” to advertisers or those who mine data for profit, to former staff to non-human attackers like “bots”—it’s important to have models for who yours are and could be.
- Points of access, i.e., There are several places where information sits and may be exposed, from laptops and desktops, to cameras and portable flash drives, to servers, to each staffer’s mobile phone. Ultimately, Gunner said, a smartphone will never be surveillance-proof, so the less information that you keep on one, the better.
Data on devices is often referred to as data “at rest.” A different set of risks confront data “in motion,” such as non-secure traffic across the web, emails and instant messages, among others. Gunner reminded the group that most communication goes across the internet as plain text. Like a postcard in the mail, it can be read by anyone.
For groups who want to mitigate these myriad risks, there are a range of simple steps they can take, from secure browsing, to encrypted email, to simply installing “less stuff.”
Organisationally, he made several recommendations for how to work toward establishing a culture of security within your NGO, including educating staff on risks, establishing responsible data policies, and conducting “audits” of your physical security, among other steps. No single step can ensure full security, but each step gets you closer to stronger, sustainable practices.
One simple step anyone can take right now is to review their own practices of data backup, he said, for organisational data or your own laptop. Do you know how to successfully back up everything to a secure offline location and, as importantly, do you know how to successfully restore from your backup?
In the end the key step is to begin conversations about the topic, rather than shying away from them. Gunner urged every organization to “create safe space for talking and learning about security, and bring digital security up with peers and find out how they are thinking about these issues.”
A wealth of knowledge and support are available for doing better with digital security. The webinar closed with a call on participants to seek answers from experts and their own peers and to remember that sound digital security is an ongoing process of awareness.
If you are interested in taking further steps and tapping into more expertise, please sign up for the TABridge tech-discuss listserv, available on our homepage. And check out the extremely useful materials available from our peer organizations below.
There’s a lot more information available in the full webinar archive online. And remember to also visit the new #TABridge guide, “Fundamentals for Using Technology in Transparency and Accountability Organisations.
Learn more from the following organisations:
- EFF’s Surveillance Self Defense
- Frontline Defenders
- the engine room’s Responsible Data Forum
- The Guardian Project
- Digital Defenders Partnership
- Tactical Tech’s Privacy & Expression
Allen Gunn (@allengunn) of Aspiration is a co-organizer of the #TABridge network and works to help NGOs, activists, foundations and software developers make more effective use of technology for social change.
Dirk Slater (@fabrider) has two decades of experience working with grassroots activists and advocates to harness the power of information by gathering, packaging, distributing and protecting it. You can learn more about him and his work at FabRiders.
Jessica Steimer (@JSteim) Jessica is the training and support manager at Aspiration, where she trains and supports community organisations around nonprofit technology best practices, specialising in business processes for nonprofit communications and technology sustainability.
Content for this webinar was derived in part from our new guide, “Fundamentals for Using Technology in Transparency and Accountability Organisations. You can play a recording of the webinar and slideshow, or see our full schedule of #TABridge webinars.
Photos: Dell.com, Amsterdam Printing/Flickr, Sean Dreillinger/Flickr, Teresa Stanton/Flickr