Understanding Your Risks: Risk Assessment and Mitigation

Michael Carbone

What is ● ●

● ●

international human rights organization mission: "defend and extend the digital rights of users at-risk around the world" policy, tech, advocacy work 24x7 helpline for your needs – – – –

Tunis, Tunisia San José, Costa Rica French, Arabic, Spanish, English opening: Manila, Philippines

Context / Environment ●

Social networks, blogging, forums, dating sites, mobile phones & apps have all become platforms for expression and association –

●

Especially important in societies that discourage this expression and association offline

These same platforms have been used to target activists and communities, both online and offline – –

"Digital" security has physical security consequences Not just for you, but for your community and network

Assessing and Managing Your Risks ●

●

●

By thinking through the risks we face, we can make better decisions on how to stay safe and protect our friends and networks Managing risks to improve security is always a trade-off, there is no such thing as "being 100% secure" Tools will not make you secure – you need to think about your behaviors and practices, of which tools are one part

We Manage Risk Every Day ●

Locking office doors –

●

Crossing the street using a crosswalk versus in the middle of the road –

●

Using strong passwords or passphrases

Having the choice of more secure communications

Brushing our teeth –

Keeping our operating system and software up-to-date

These are not one-off decisions but ongoing choices we make –

Formalizing these choices can help us make better decisions

Some Language Used in Risk Management What threats from which adversaries pose the highest risk to your assets? asset = what you are protecting threat = what you are protecting against adversary = who is posing this threat risk = likelihood of that threat occuring

Assets ● ●

Assets are what you want to protect Are you protecting the confidentiality of communications or information? –

●

like the content of a chat, email, or document

Are you protecting individuals' anonymity? –

like who is in your organization's membership

Confidentiality vs Anonymity Which is important for your work? Confidentiality of content of communications? –

Documents, emails, chats, plans

Anonymity of your association with this work? –

●

Are you already publicly identified as an LGBTI activist? Are you already publicly identified as LGBTI? Do you go to meetings, parties, events associated with the community?

Anonymity for you and your work may not be desired –

But don't forget about your colleagues, allies, networks who may want to retain their anonymity given their own contexts

Threats ●

Threats are what you are protecting against – – – – – –

Access to private information (identity, contacts, location, communications) Blackmail Office raid Arrest Entrapment Physical harm

Adversaries ●

Adversaries are entities who pose a threat to your assets – anything you want to protect –

●

What is the nature of those threats? What are their capacities? –

●

the government, religious institutions or groups, political parties/movements, armed groups, family members

Reading our text messages, raiding our offices, installing malware on our devices as we cross a border, reading our public Facebook page or dating profile, harming our relationship with our family

Different adversaries have different capacities and require different strategies for mitigating those threats

Vulnerabilities ●

Vulnerabilities are your practices that make it more likely for harm to happen –

●

Always try to find your "weakest links" in security for improvement, as these will likely be what your adversaries first target

Our digital activities can create physical vulnerabilities for us – – –

Short passwords on devices Relying on outdated software Using dating websites insecurely ●

–

mobile apps (gelocation) ●

–

Scruff, Adam for Adam, Manjam, Gaydar, PlanetRomeo, etc. Grindr, Tinder, WeChat, WhatsApp, Twitter, Facebook

Sharing everything publicly by default on Facebook

Capacities ●

Capacities are abilities and resources you may already have to improve your security – – – – – –

Knowing how to create long passphrases Making regular backups of important files Telling close friends where and when we will meet in person someone we met online Checking in with friends when travelling Locking your phone and computer when you don't use it Checking your operating system and software for updates

All Together: Thinking Through Threats Threats

Digital Vulnerabilities

Digital Capacities

Office raid Police, and judiciary confiscation of devices, documents

Sensitive files (members database, emails) not protected

Backup files in separate location

Entrapment and assault

Dating website profile is public, has face picture. Dating app shares geolocation.

Always carry mobile and let friends know where and when I meet someone. Not using dating apps.

●

Adversaries

Homophobic gangs

Digital Capacities Required Encrypt sensitive files and databases, delete information securely Safer use of dating sites and apps

What are some threats you can think of for you and your work?

Thanks! Michael Carbone

Digital Security Helpline

[email protected]

[email protected]

GPG key: 0x81B7A13E

GPG key: 0x32E8A2BC

More resources: ●

●

Digital security tools and tactics for the LGBT community in the Arabic region, Security in a Box: https://securityinabox.org/en/context/01 Risk Management, EFF's Surveillance Self Defense: https://ssd.eff.org/risk