Many local partner organizations that international development actors engage with face risks while operating in challenging – and sometimes dangerous – environments. Some civil societies now face push backs from their governments and confront a closing space to function in, while others operate in fragile states where violence hinders progress.
My organization, Center for International Private Enterprise (CIPE) is no exception and we have partners in a range of countries in such circumstances – from Ukraine to Afghanistan – doing tremendous work to create a more sustainable democratic and economic communities.
To support such organizations maneuver in difficult environments, the following are five mobile or online tools that could be used to strengthen the local organizations’ digital security.
Be sure to suggest data security session ideas at MERL Tech 2016 and register now to participate on October 3-4, 2016 in Washington, DC.
NOTE: As you explore the tools, please keep these points in your mind.
- Despite the sophistication of the tools mentioned below, organizations should not rely solely on digital security for their safety, even if they are being careful. Many authoritarian governments are digitally savvy, so in some environments it is impossible to be 100% secure. Organizations should make sure they are following all the laws and regulations (even if they are burdensome), and that they are not communicating in ways that would put individuals at risk, even if they were compromised.
- Carefully review and understand the privacy policies of any tools before using them.
- Adopting new technology is like a behavior change – it takes time and effort, so be patient if your organization decides to adopt and use one of the tools for your organization.
The suggested tools and strategies are common threats and risks associated with using certain ICTs, as well as possible products and strategies to consider using to improve your organization’s security measures.
For a messaging/chat service:
Common risks/recommendations for messaging/chat services:
- Most messaging services lack encryption – pick an app that offers end-to-end encryption
- Avoid using the messaging services through open networks, such as WiFis in cafes and public places
Possible products to consider:
- Telegram is an interesting app. It’s a free app that offers end-to-end encryption and is thus secure. It also has a channel feature where you can blast a message to several people who subscribe to the channel. There are “supergroup chats” where you can have up to 5,000 participants. What’s also great is that it has a self-destruct mode where you can set a timer to an individual message, and it automatically disappears. Watch the tutorial video for the app here.
- Whatsapp , as many of you probably know, recently adopted an end-to-end encryption system, making it another secure way of messaging with others. You can use the app more securely by locking the app (such as with ChatLock), blocking photos from photoroll, hide the “last seen” option, or setting the profile picture to “contacts only”.
Note: both Telegram and Whatspp require smart phones and data or Wi-Fi to connect.
For email:
Common risks/recommendations for email systems:
- Common threats for email security includes: malware, email interception, weak passwords, spamming, phishing/spear phishing
- Some ways to manage these common problems include: no opening suspicious emails/links, take note of where you use your email address (i.e.: sign ups on websites), use more secure/stronger passwords, do not reply to SPAM
Possible products to consider:
- ProntonMail is an email system (free for up to 50 MB storage space and up to 150 message/day; for large storage space and more email frequency, must upgrade to a fee-based version) that provides automatic email security (end-to-end encryption). Its features include self-destructing emails, and double-password security. Emails can be sent from Gmail, Outlook and other platforms. One caution of note that while it is difficult, it is possible to decrypt emails on ProntoMails.
- Tutanota is a German-based email system that also offers end-to-end encryption. The system is free for one user (one email account) up to 1 GB and must use a Tutanota domain only. If you’d like to add multiple users to the account (have multiple email accounts for a company/organization), then the fee is €1 per month per user, for up to 1 GB per user, and cause use your own domain or use Tutanota domain. It is open sourced, and offers local encryption (on devices). Watch the tutorial video for Tutanota here.
For storage space:
Common risks/recommendations for storage space solutions:
- Common threats to storage services are user error and insider activity
- Possible threats include compromised credentials (usernames, passwords), lack of encryption, and the more users who use a certain storage stage = the higher the possibility to attract more hackers
- To counter these risks, consider: creating stronger passwords, have your IT department audit all connected devices, spread sensitive data between different storage spaces, and review of what is being shared.
Possible products to consider:
- If you already use a certain cloud-based storage space (such as Dropbox, Microsoft OneDrive, Google Drive, etc.), which are not entirely secure, you can add an extra layer of protection. Such as:
- Use a two-step authentication process
- Add a third party encryption (such as Boxcryptor, which encrypts data on devices before they are synchronized to the cloud)
- Spideroak is an increased security cloud-based storage service. It offers up to 2GB of free trial for 60 days (after that, it’s $7/moth for 30 GB or $12/month for 1 TB), has zero knowledge encryption (means your data is 100% private and only readable by you), does not store users’ passwords nor encryption keys; storage redundancy savings, and syncs across all devices. Watch the tutorial video for Spideroak here.
All of these suggestive tools been around for at least 5 years, which is a good sign because that means the products are well vetted and well-funded. Often you read and hear about new apps or solutions created by startups, but they do not stick around for various reasons. As you come across new technologies, be mindful that one of the key factors to consider is whether the app itself will be around for longer than a year.
Also, it’s ultimately up to the individual organization or team to determine which tools are viable or fits into the overall IT system of the organization. Play around with the suggested tools above, and see what works best for your specific program, team, or organization!
Maiko Nakagaki is a Program Officer at Center for International Private Enterprise (CIPE).
I would strongly advise looking through some well-regarded and deeply researched guides before adopting any security tool. For secure chat, EFF has a great scorecard here: https://www.eff.org/node/82654 (with a new one in the works, watch https://www.eff.org/sms for updates).
EFF’s Surveillance Self Defense is a core guide useful to anyone interested in thinking critically about protecting information: https://ssd.eff.org/ I cannot recommend reviewing this enough.
For a broader set of tools and tactics; Tactical Tech’s Security in a Box (https://securityinabox.org/en) is an immensely valuable guide.
I would specifically caution against using Telegram (See http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415 for a start); and any third party, closed source security service should require a high bar to gain your trust. I recommend peeking at the thoughtwork going in to the Open Integrity Index (https://openintegrity.org/) to get grounded in what matters for a tool you’re trusting to keep sensitive data safe.
At the root of all of this, however, is knowing what you consider to be sensitive information, and what you’re concerned about happening to it. Google Drive may be perfectly suited to 99% of your work, or 10% – depending on the threats you face.