The security and ethics of live mapping in repressive regimes and hostile environments (updated February 15)
Some Standby Task Force (TF) volunteers have recently been involved in mapping events around the demonstrations taking place in North Africa (Tunisia, Egypt and Sudan), at the specific request of local activists. None of these activities have called for a full deployment of the Task Force, but they have raised some important questions. There may be a time when we are asked as a community to take on live mapping in a repressive regime or hostile environment. There will undoubtedly continue to be Task Force volunteers who individually engage in supporting mapping in such environments.
This post aims to start a discussion on the two critical issues to be considered for live mapping in repressive regimes and hostile environments: security and ethics. These are just some initial thoughts; please comment on this post with your views.
Security
Activists operating in repressive regimes are well aware of the risks they are running when they organize demonstrations or speak out about an issue. However, many activists are new to online reporting and organizing, and may be unaware of the particular risks of operating on the internet. In particular, activists are not always clear on what online actions will enable the authorities to identify them and what the consequences can be. One activist recently said: “What’s the point in protecting my identify on the net? They’ll know who I am if I go to a demonstration anyway.” We would suggest that it is very important to have control over when you are or are not to be identified with a particular action.
Thus, as an online community, it is our responsibility to advise any activists operating on the ground of the risks they may be running online and how they can mitigate them. This is in line with the TF Code of Conduct where we state:
“Safety: I will use as guideline principle for all my activities in the TF the Do No Harm principle. I will place the highest priority on the safety of the general public. I will not engage in any activity that could potentially endanger the affected populations that are source and target of reports and information during specific disaster response operation I am involved in.”
Here is a summary of the advice we could provide on security with regards to communicating, organizing and reporting. – UPDATED (MARCH 18): thanks all for the advice left in the comments section, now included below.
Security in online communication: normal email accounts (gmail, yahoo, etc) can be easily hacked, so everyone should be encouraged to move to alternative means of online communication. Some useful tips:
- Everyone working on the project needs to have TOR or similar independent security software on their computer (this protects other users from viewing what websites you have accessed). If the main TOR site is blocked, try one of the mirror sites.
- If vulnerable websites are visited (e.g. gmail, yahoo, etc), always use https proxies if available
- If sensitive websites have been visited (before installing TOR), delete all browser history. Your browser history can still be found, but this makes it a little harder.
- Everyone working on the project needs to get a Hushmail e-mail account. This is free online email that is safer than most email providers. There was one case in Canada where Hushmail agreed to hand over information on email accounts, but it seems unlikely that a similar request from a repressive regime would solicit the same response. Independent security systems (described in 1) are better than third party ones, but Hushmail is a good start.
- All passwords needs to be transformed into Passphrases and all caches (saved passwords) need to be deleted from browsers
- All sensitive content needs to be deleted *permanently* from normal email account
- Skype is a relatively safe way to communicate (as long as no-one has your password!). Skype-to-skype voice calls cannot be recorded, but the audio compression system used in skype allows phrases to be identified with an accuracy of between 50% and 90%, even with encryption applied. All skype chats are encrypted. However, it is possible to see who you are talking to and your skype chats are stored in your skype account (but it would be very difficult for someone to access them). It is best to download skype in a safe environemnt, since skype downloads are not made through a secure connection, which means that other sites can masquerade as the main site and offer compromised versions of the software. A separate SkypeID should be created for senstive content to minimize risk. All sensitive content needs to be deleted from normal Skype account (including deleting chat history and call history). Always be sure that the contacts you are talking to are correct and not someone impersonating them.
- If instant messaging services are used (Google Talk, MSN, AIM etc), use an encryption service called Off The Record (OTR). You can read more about OTR here. An easy way to use OTR is to install Pidgin (together with the relevant OTR encryption for your instant messaging client) or Adium (comes with OTR built in).
Security in online organizing: it is important to communicate to activists that although social media such as facebook and twitter may be effective, they are also very unsafe. Some useful tips:
- All sensitive content needs to be deleted from Facebook page
- If using Facebook, use a false name and no pictures
- Public groups on Facebook should not be trusted at face value, they could be planted by the government. Secret groups on Facebook are not safe (they can also be hacked)
- A profile needs to be created on Crabgrass, a secure social networking platform
- If local activists want to use twitter, tweets should be relayed over skype to activists outside the country who can tweet safely
- If vulnerable websites are visited (e.g. facebook, twitter), always use https proxies if available
Security in reporting: online and local activists should have a discussion early on to identify an effective and safe strategy for reporting from the ground. Some useful tips:
- Mobile phones are very unsafe for communication. Every time you call or text, you send out both the SIM card details (IMSI / TMSI) and the mobile phone handset details (IMEI) . If mobiles phones are used, always use codes to communicate and change frequently SIM card and handset.
- If FrontlineSMS is used, change location of the computer every time the software sends information to Ushahidi and don’t use it from home
- In particularly hostile environments, do not use SMS, twitter or web-forms to report information. Email reports should come from and to a hushmail account. Skype can also be used to relay messages.
- Developing a trusted network of reporters early on may be critical in these environments, particularly since deliberate misinformation can be a concern
- Avoid circulating video or images that clearly show people who did not consent to their circulation.
- Remove or obscure portions of content that identify and endanger citizens, for example by blurring faces.
At the end of this post, you will find a list of useful documents on online security in case you want more detailed information. Finally, remember that all volunteers are personally responsible for not divulging any sensitive data as set out in the TF Code of Conduct:
“Integrity: I will maintain the confidentiality of all internal communications and information intended solely for TF coordinators and volunteers. I will maintain confidentiality particularly on data relative to:
- Personal phone numbers and e-mail addresses of the sources of information
- Contacts with NGO, International Organizations and other partners of the TF
- Sensitive data related to vulnerable groups like children, women, sick people, elderly, IDPs and refugees.”
Ethics
The crisismappers list saw some discussion about the ethics of contributing to live mapping efforts in complex political emergencies (which often, though not always, are in hostile environments). As a community, it is probably not possible to define an ethics of the Task Force that applies to all situations. However, it may be worth fleshing out some of the ethical concerns of live mapping in hostile environments – particularly around neutrality and impartiality.
First, what is the meaning of neutrality in the context of a complex political emergency in a repressive regime? The TF Code of Conduct says the following about neutrality:
“Neutrality: The TF assistance is given regardless of the race, creed or nationality of the recipients and without adverse distinction of any kind. I shall endeavor not to act as instruments of government foreign policy. I must not take sides in hostilities or engage in controversies of a political, racial, religious or ideological nature.”
The first two sentences are relatively easy to adhere to, as is the notion of not taking sides in hostilities. The more difficult one is “engage in controversies of a political, racial, religious or ideological nature”. Is mapping reports from pro-democracy activists that are demonstrating in a repressive regime akin to engaging in a controversy? One possible answer is that in such a situation we are intervening not to express an opinion ourselves, but to enable an opinion to be expressed. That is, we are upholding the right to freedom of speech, not taking a particular side in a controversy. And then the question becomes – is upholding human rights in a repressive regime the same as remaining neutral? In discussions about intervention, the meaning of neutrality can easily become eroded. In one sense, there is no such thing as a neutral intervention (and that applies to humanitarian disasters as much as to complex political emergencies). As a community, we will need to consider for each intervention how we define our neutrality, and what limits we need to identify to our interventions to make sure we don’t cross that line. This will inevitably be a messy process.
Second, is it possible to be impartial in a complex political emergency? The TF Code of Conduct says the following about impartiality:
“Impartiality: The TF assistance will not be used to further a particular political or religious standpoint. Aid priorities are calculated on the basis of need alone. I will carry my duties in the TF having in mind that humanitarian action must be carried out on the basis of need alone, giving priority to the most urgent cases of distress and making no distinctions on the basis of nationality, race, gender, religious belief, class or political opinion.”
This definition is best suited to sudden onset emergencies where the political elements are lesser, and needs can be more or less objectively defined using the Sphere standards for humanitarian assistance. What is ‘need alone’ in a complex political emergency? Which are the ‘most urgent cases of distress’? One useful way of considering impartiality in a complex political emergency – particularly in a hostile environment where mis-information is common – is to make every effort to avoid becoming the instrument of a particular point of view. Verification of reports is key, here are some useful tips based on our experience to date:
- If an event is reported by a trusted news source (e.g. BBC, Reuters, Al Jazeera), then mark it as verified.
- If an event is reported by one of our trusted reporters, then mark it as verified and as a ‘trusted report’.
- Other reports are posted as unverified only once there are at least two independent reports on the event.
This post only scratches the surface on issues of security and ethics for live mapping in hostile environments. Additions to and comments on the thoughts set out here would be most welcome.
Useful documents on online security:
How to Communicate Securely in Repressive Environments – A Guide for Improving Digital Security – Patrick Meier
Security In A Box – How to remain anonymous and bypass censorship on the Internet – 2010-06-21 – MobileActive
Security In A Box – How to protect your information from physical threats – 2010-06-16 – MobileActive
Security in-a-box
SMS Privacy Tips for Election Monitoring And More
Digital Security and Privacy for Human Rights Defenders
THE DIGIACTIVE GUIDE TO TWITTER FOR ACTIVISM – Andreas Jungherr
Non Violent Struggle – 50 Crucial Point
Hints and Tips for Whistleblowers
Surveillance Self-Defense: Defensive Technology
WARNING: Social media is dangerous
Skype security weaknesses could endanger vulnerable users
Organize on Facebook Securely
I read the TF code of conduct with interest. Thanks for all the good work.
It appears to me that the TF code of conduct, and in particular the section on impartiality, was written with humanitarian crises in mind where “the political elements are lesser, and needs can be more or less objectively defined using the Sphere standards for humanitarian assistance.” Questions: Should the TF provide assistance to crowd-mapping efforts of crises which are more political in nature, such as the Egyptian or Tunisian protests, or the political crisis in Cote d’Ivoire. In such cases, the need is not so much to deliver live-saving aid, but to report in a precise manner about the human rights violations which are taking place for later use in prosecutions of those most responsible for example. But is it then still possible to uphold a principle of impartiality. First, the organization which is setting up a Ushahidi platform may have a political agenda of its own which it may or not advertise. Second, those contributing information may also further political agenda. Hence, as was said, verification of the information is key. However, for this to be made possible, the information which has been contributed need to be detailed enough to allow corroboration to take place. I thus advocate for more stringent protocols to be put in place for reporting about political crises and more particularly human rights abuses. Impartiality in these cases can only be upheld if one can demonstrate that it has applied an objective methodology in dealing with the information received.
With regard to the verification of reports, I am a little surprised to find that you recommend to tag reports “by a trusted news source” as “verified”. In my experience, media may or not provide accurate information, in particular to the precise location of an event, its attribution, etc. There is also a lot of copy paste from other news or press agencies without little verification taking place. Else, I would tag the information based on its provenance: Trusted news source, news source, trusted report, report, etc. and only tag an event as verified once there are at least 2 (rather 3) independent reports on that event. And of course you want to do this in a very transparent way and give the user a look at the all the reports which were used to conclude that an event is verified.
Faithfully reporting messages from social media cannot be partisan. The whole debate seems odd. As a group we don’t generate any ‘news’ and we don’t make any decisions between one report and another, just whether or not it has been confirmed. Am I wrong?
The bigger decision point is supporting one activity vs another, and “jumping in” as in the case of Egypt where the internet and cell service is cut off – preventing an ‘official’ request from orgs that are in-country.
Another issue about involvement concerns the amount and type of publicity or promotional efforts we engage in. In order for any of this to work, the wider public needs to know about the SMS# or web address to get their messages mapped. Without that the whole thing is pretty useless it seems.
indeed serious topic that needs to be discussed and I believe this is gonna be a process of learning and getting experiences as well as about making inevitably good and bad decisions. And I feel it is OK, this field is unmapped and only through work and learning lessons we can move effectively forward. I agree with Om that just reporting is non partisan as we usually simply map any relevant information. More importantly, this is about citizen journalism and reporting, opening channels for anyone to report. We are not using the data to strategically coordinate events and to manage them (I believe the Sukey team is trying to figure this out as well – http://www.guardian.co.uk/uk/2011/feb/02/inside-anti-kettling-hq). Regarding the SBTF engagement, for me the issue is not what type of crisis it is, whether humanitarian or political, but for me the key question is WHO is requesting SBTF activation and who is SBTF supporting. In vast majority of cases, SBTF will not be the one deploying platforms, but will be providing support to partners where extensive capacity is needed. So, I believe the code of conduct is OK, but we should look more deep into the decision making processes and protocols about activation and having some broader agreement on who are those who are not ever gonna be our partners (so, government oppressing its citizens is most likely not gonna be the partner, and for example the russian neonazis trying to track the minorities neither. However, I can imagine partnering with a governmental response institution during humanitarian crisis caused by natural disaster). I don’t think we’d be able to draw a clear line now, but we definitely can start process of preparing some kind of “blacklist”.
Another serious issue is of course the verification of information. I see a way to go by trusted networks of reporters and clear tagging of reports. Agree absolutely with cryptosaure on the classification. The verification criteria we have now and that are mentioned in the post are also designed more around humanitarian crisis, rather than political. And in sensitive environments, these criteria will have to be way more strict before we publish report tagged as “verified”.
This information is bad. It will get people arrested, under suspicion, and possibly killed. Hushmail has been easily compromised and is a horrible security model. Skype is trivial to analyze and determine who you are and what you are saying/chatting. use tor over https proxies, or you are just giving up your data to the https proxy provider. no wonder so many people get arrested and tortured if this is the best advice they can get.
Great piece Patrick. This is a very healthy conversation! There was discussion in the first week of the flooding in Pakistan regarding the appropriateness of mapping the parts of that country where possession of maps are illegal, and the authoritarian regime would possibly use such information (i.e.: residential addresses, schools, emergency assistance) for further control. I appreciate that the SBTF does not self-activate and only responds at the request of a local partner. That protocol will significantly reduce the unintended consequences of good intentions, but alone does not relieve the foreign volunteer community from grappling with these challenging questions.
The book Crisis Caravan: What’s Wrong with Humanitarian Aid opens by comparing the outlooks of Red Cross founder Henri Dunant’s view that help should be provided no matter what and Florence Nightingale’s view that aid should not be directed towards communities if warring parties use it to continue fueling a conflict. From my perspective, this question is the crux of the “neutrality” debate, and which clearly continues into this blog post. Patrick writes:
As a community, we will need to consider for each intervention how we define our neutrality, and what limits we need to identify to our interventions to make sure we don’t cross that line. This will inevitably be a messy process.
Neutrality is not fixed, and it likely will differ across our own cultures. Through discourse and debate we will be more prepared to face the inevitable unintended consequences that will arise from such important work.
What does changing the SIM card do except add another phone number to the “friendship tree” ? It will not confuse automated Communications Data Traffic Analysis tools like i2 Pattern Tracer etc.
Every mobile phone Call Data Record contains both the SIM card details (IMSI / TMSI) and the mobile phone handset details (IMEI) – unless you change all of them i.e. a new handset or you have re-programmed the IMEI, (something which is illegal in many countries) and only use the phone / SIM combination for a limited time, then you may still be betraying your contacts / friends / co-conspirators.
You should be looking at creating or using GSM Gateways / SIM boxes, which often do not have any call log files to hand over to the authorities.
@ fluffy bunny – what do you expect from Hushmail or any other free email provider ?
It takes a Canadian Court Order invoked by a Mutual Legal Aid treaty request to compromise Hushmail, that is not “easy” for repressive third world governments to obtain, although it is relatively easy for allegedly civilised “Western” governments and agencies to do so.
Yahoo, Google and Microsoft Hotmail also regularly comply with such US Court Orders.
Local ISP email providers in your own repressive country will be forced to cooperate to hand over copies of your emails and the associated Communications Data i.e. subscriber details and send / receive log files, so US or Canadian based web email providers do provide some level of anonymity protection.
N.B. in countries like the United Kingdom, there is no need for a Judicial Warrant or a Court Order, the authorities self-authorise themselves for access to communications intercepts or communications traffic data.
Hushmail does not have a non-https// session encrypted option, something which is still available for gmail or hotmail etc.
Hushmail honours STARTTLS and it strips out your computer’s IP address information from the email headers.
Obviously you can add another level of encryption to the contents of your email messages using PGP / GPG etc. when using any email provider , but getting even supposedly technologically literate journalists etc. to use and publish public PGP keys at all, is an uphill struggle.
Another point about Hushmail is that it is comes with built in Digital Signing of even plaintext , non-encrypted email, something which can be useful for press releases etc., when there are attempts by your opposition to send out fake propaganda, as has been alleged in Egypt.
While you seem to have the heart in the right place, I would discourage anyone from following your advice.
1. “[…]change frequently SIM card” – This won’t accomplish anything if you don’t also use another phone since the phone it self can be tracked using it’s IMEI number.
2. Hushmail have been known to hand over users emails to authorities. Use your normal email and do the encryption on your own computer using GPG and remember that they can still see whom you communicate with (use Tor or I2P to get around that).
3. Skype traffic is easy to spot in the net and it’s not known exactly how safe/unsafe it is. Use pidgin with OTR to get convenient encrypted IM communication instead.
4. “If sensitive websites have been visited, delete all browser history” .. cmon! It will still be there, sitting on the harddrive, for anyone that cares to look further than the bookmark menu in firefox. Use torbutton or at least turn on private browsing before you access sensitive info.
Thank you all for taking the time to comment on this post, and thanks @jaro for reminding us that this is a “process of learning and getting experiences as well as about making inevitably good and bad decisions.” Some thoughts on the comments so far…
@fluffy bunny, @wtwu, @A – thank you for your comments… and we’d love your help. You despair at our lack of knowledge, but it’s all we got right now! When a bunch of university students in a repressive regime gets in touch with us for support, we scramble to try to get them some advice. That’s not good enough, you’re absolutely right. In this post is a summary of our collective knowledge to date, and it would be great to make it better. I’m already taking note of your additional suggestions, and will post an updated list of advice (as well as make all our volunteers aware of it). If you have the time to give us some links / more detailed instructions on the suggestions you have made so far, that would be fab (@wtwu, yeah uphill struggle to get anyone to follow this advice!). Also, the TOR download website is blocked in a number of countries. Would one of you be able to outline second best alternatives? Very much appreciated 🙂
@cryptosaure, I entirely agree with you that our impartiality will be greatly enhanced by having an objective methodology for dealing with the information received. In fact, I’ve been thinking that we should make it a standard protocol that all TF crowdmaps display their verification policy online. Not sure we can have a standard verification policy (probably will depend on the context?), but I do like your suggested that we call things for what they are – “trusted news source”, “news source”, “trusted reporter” – and then tag as “verified” only once three independent reports have been received.
@omdesign (and@jaro), but reporting is partisan because in practice we do make decisions between reports (and not just about their relevance). on a recent platform, a comment on a report was received that read “we shall not stop until we spill blood to revenge this martyr”. Would you publish that? I wouldn’t.
@jaro, yes yes – *who* is requesting TF activation is a crucial question, clear gap in the ethics discussion in this post. Some groups may be obvious, others may be harder to judge. I’m not sure a ‘blacklist’ is the best course of action, I’d rather go by some kind of standard. For example, TF partners must be non-violent and respect human rights. Does that sound sensible?
@alex rose, thanks for pointing out other historical debates on neutrality. Are you familiar with the debate in the humanitarian community about disengagement from North Korea? MSF has some interesting papers on how aid to relieve the famine was instrumentalised by the regime. What’s interesting is that this debate commonly looks at humanitarian interventions, but less so at interventions in support of civil rights. Yet neutrality, it seems to me, is just as relevant to a discourse on rights. Isn’t all about applying a standard? And thus, aren’t we just as neutral or non-neutral whether we apply a standard to basic needs or to basic rights?
Are all these official TOR mirror sites blocked as well ?
https://www.torproject.org/getinvolved/mirrors.html.en
If someone is desperate for a copy of the latest stable TOR/Vidalia bundle for Windows, they should be able to find one via the
Tor – The Onion Router cloud of proxy servers
article at
http://ht4w.co.uk
Hints and Tips for Whistleblowers
Technical Hints and Tips for protecting the anonymity of sources for
Whistleblowers, Investigative Journalists,
Campaign Activists and Political Bloggers etc.
Thanks Trinity for comprehensive response, just to follow up on some points and keep this conversation going…
re “@omdesign (and@jaro), but reporting is partisan because in practice we do make decisions between reports (and not just about their relevance). on a recent platform, a comment on a report was received that read “we shall not stop until we spill blood to revenge this martyr”. Would you publish that? I wouldn’t.”
No I wouldn’t publish that, not necessarily because it is kind of “biased” report, but simply because it is irrelevant to be mapped – it is not an incident. I believe the best added value of live mapping platforms is reporting geospecific incidents, rather than opinions, or more general reports.
re “I’m not sure a ‘blacklist’ is the best course of action, I’d rather go by some kind of standard. For example, TF partners must be non-violent and respect human rights. Does that sound sensible?”
yeah, but I am afraid standard is really difficult to find. First of all, anyone can claim that is nonviolent and respects human rights, second, it is still too general to make a sensible decision. Me personally would still have a problem with assisting a group with strong political or religious background (regardless what side of political spectrum it is or what religion), no matter how peaceful and non-violent they are (or are claiming to be). That’s why I was suggesting to start with something that can be pretty easily nailed down. With accepting the fact that ongoing discussion is needed and that decisions will have to be often made quickly, on case by case basis, based on only information available at that particular moment.