Security FAQ and Tips

The following is a list of frequently asked questions and their answers, but feel free to ask us anything else you want to know.

1. What is encryption?
Encryption is the scrambling of data into a secret code that cannot be deciphered except by the intended party. Given enough time (and enough computing power) allencrypted messages can be read  but this can take massive amounts of time and resources.

In simple terms, encryption is a way for you to secure your files and your e-mail from spying eyes. Your files get translated into code that makes no sense to anyone who sees it. It is an apparently random collection of numbers and letters. To encrypt a file, you "lock" it with a key, represented by a passphrase. To encrypt a message, you lock it with a key pair using your passphrase. It can only be opened by the intended recipient, who uses his or her own passphrase.

2. Why should human rights groups use encryption?
Everyone should use encryption because digital communications are inherently unsafe. However, human rights workers are at a far greater risk than most individuals and their files and communications are more sensitive. It is imperative for human rights workers to use encryption in their digital communications to protect themselves and the people they are trying to help.

Digital technology is a benefit to human rights groups, allowing them easier communications, greater efficiency and more opportunities. However, with any benefit come certain dangers. You wouldn't drive a car without seatbelts even if you were not likely to get into an accident every time you drive. If you are driving in a more dangerous situation such as a race, you are more likely to use the available tools to make you safer.

Similarly, human rights workers are known targets for surveillance. Knowing unencrypted email can be viewed by almost anyone from many different points of access makes it almost inevitable that their unencrypted email will be accessed at some point. Your messages may already be monitored by your adversaries and you will never know about it. Your beneficiaries' adversaries are your adversaries.

3. Is it illegal to use encryption?
Sometimes. It is perfectly legal to use encryption in the United States, Canada and other western nations including Peru. In fact it is legal in most countries of the world. However, there are particular exceptions in other parts of the world. In China, for example, organizations must apply for a permit to use encryption and everyone must report any encryption technology on their laptops as they enter the country. Singapore and Malaysia have laws requiring anyone wishing to use encryption to report their private keys. Similar laws are pending in India. There are other exceptions as well.

The Electronic Privacy Information Center (EPIC) provides An International Survey of Encryption Policy where they discuss the laws in most countries http://www2.epic.org/reports/crypto2000/, however this list was last updated in 2000. Before you use encryption in a particular country, check with us.

4. What software is available?
There's email encryption, disk encryption, anonymous remailers, backup systems, virus protection, firewalls, and more!

But having the right software is not the whole solution. The weakest link is usually individuals, not technology. Encryption doesn't work if individuals don't use it consistently, if they share their passphrases indiscriminately or leave them in visible locations such as a sticky note pasted to their monitors. Backup software won't save you in the event of a fire or raid if you don't ensure the backup copy is stored at a separate secure location. Sensitive information must be treated on a need-to-know basis instead of being shared with everyone in organization, so you need to initiate hierarchies and protocols. In general, it's important to have a consciousness of privacy and security in your everyday activities. We call this "healthy paranoia".


5. What do we need?
It depends on your system and your activities, but generally everyone should have:

• A firewall
• Disk encryption
• Email encryption that also does digital signatures such as PGP
• Virus detection software
• Secure backup  email to a secure site and backup all materials weekly to CD-RW then store it at a separate secure location
• Passphrases that can be remembered but can't be guessed
• A hierarchy for access  everyone in the organization does not need access to all files
• Consistency  none of the tools will work if you don't use them all the time!

6. How do you choose which encryption software to use?
Usually, you ask your friends &and confirm with us. You need to communicate with certain people and groups so, if they are using a specific encryption system, you should use the same system to facilitate communications. However, check with us first. Some software packages simply don't do a good job while others are Honey Pots. With a honey pot, you are lured into using the free and seemingly excellent software by the very people who want to spy upon you. How better to read your most vulnerable communications than by being the overseer of your encryption software? Still, there are many reputable brands of both proprietary software and freeware. Just remember to investigate before you use it.


7. Won't using encryption put me at a greater risk of a crackdown?
No one will know you are using encryption unless your email traffic is already being watched. If your email traffic is already being watched then your private information is already being read. That means you are already involved in a crackdown by those doing surveillance on you. There is a concern that those doing surveillance on you will use other options if they can no longer read your email, so it is important to know your co-workers, implement safe backup policies and consistent office management at the same time you begin to use encryption.


8. Why do we need to encrypt email and documents all the time?
If you only use encryption for delicate matters, those watching you or your clients can infer when critical activity is taking place &and are likely to crack down at those times. While they cannot read your encrypted communications, they can tell whether files are encrypted or not. A sudden rise in encryption may trigger a raid so start using encryption before special projects arise. In fact, it's best to ensure all communication traffic flows smoothly. Send encrypted email at regular intervals, even when there is nothing new to report. This way, when you need to send delicate information, it will be less noticeable.


9. If I've got a firewall, why do I need to encrypt my email?
Firewalls prevent hackers from accessing your hard drive and network but, once you send an email out into the Internet, it's open to the world. You need to protect it before you send it.


10. No one is breaking into this office so why do I need to use privacy software?
First, you don't know if anyone is breaking into your system or if anyone is leaking information. Without encrypted communications, without physical security, without privacy protocols, anyone can be accessing your files, reading your e-mail and manipulating your documents without your knowledge. Second, your open communications can put others at risk in locations where politically motivated raids are more likely to occur. If you lock your doors, you should encrypt your files. It's that simple.


11. We don't have Internet access so we have to use an Internet café. How can we protect communications that we send from an outside computer?
You can still encrypt your email and your files. Before going to the Internet café, encrypt any files you intend to email and copy them in encrypted form onto your floppy disk or CD. At the Internet café, sign up for an encryption service such as Hushmail.com or an anonymity service such as Anonymizer.com, and use these when sending your email. Make sure the people receiving your communications have already signed up for these services.


12. If it's so important to secure our files and communications, why doesn't everyone do it?
This technology is relatively new but its usage is spreading. Banks, multinational corporations, news agencies and governments all use encryption, recognizing it to be a sound investment and a necessary cost of doing business. NGOs are at greater risk than companies whom most governments wish to welcome. NGOs are more likely to be targeted for surveillance so they need to be proactive in implementing the technology. The focus for human rights workers is protecting persecuted individuals and groups. To do so, they keep files with identifying and locating information. If these files are accessed, these individuals can be killed, tortured, kidnapped, or "convinced" not to assist the NGO anymore. Information from these files can also be used as evidence against the NGO and their clients in political prosecutions.

13. One of our principles is openness. We are lobbying for greater transparency by the government. How can we use privacy technology?
Privacy is consistent with openness. If the government wishes to openly request your files, it can do so through proper and recognized procedures. Privacy technology stops people from accessing your information in a clandestine manner.


14. We follow all the privacy and security protocols and still our information is leaked  what's going on?
You may have a spy within your organization or you may have someone that simply cannot keep information confidential. Rework your information hierarchy to ensure fewer people have access to delicate information  and keep an especially watchful eye on those few people. Large corporations and organizations routinely disseminate different bits of false information to specific people as a matter or course. If this false information leaks out, the leak can be tracked directly back to the employee who were told the original (false) information.

The Do's and Don'ts of Using Encryption

• DO use encryption consistently. If you only encrypt sensitive material, then anyone monitoring your email traffic will know when something important is about to happen. A sudden increase in use of encryption might lead to a raid.
• DON'T put sensitive material in subject lines. They are usually not encrypted even if the message is.
• DO use a passphrase containing letters, numbers, spacing and punctuation that only you can remember. Some techniques for safe passphrase creation are using designs on your keyboard or using random words strung together with symbols in between. In general, the longer the passphrase, the stronger it is.
• DON'T use a single word, name, popular phrase or an address in your address book for your passphrase. These can be cracked in minutes.
• DO backup your private key in a single secure place, such as encrypted on a tiny, removable "keychain" USB memory device or a Sony memory stick.
• DON'T reply with sensitive materials to someone just because they send an encrypted email and use a recognizable name. Anyone can "spoof" a name by making his or her email address sound like someone you know. Always verify an identity before you choose to trust the source  communicate in person, by phone or by checking their digital fingerprint with a reliable source.
• DO teach others to use encryption. The more people using it, the safer we will all be.
• DON'T forget to sign the message as well as encrypting. You want your recipient to know whether your message has been altered in transit.
• DO encrypt files that you send as attachments separately. They are generally not encrypted automatically when you send an encrypted email.