Understanding Your Risks: Risk Assessment and Mitigation
Michael Carbone
What is ● ●
● ●
international human rights organization mission: "defend and extend the digital rights of users at-risk around the world" policy, tech, advocacy work 24x7 helpline for your needs – – – –
Tunis, Tunisia San José, Costa Rica French, Arabic, Spanish, English opening: Manila, Philippines
Context / Environment ●
Social networks, blogging, forums, dating sites, mobile phones & apps have all become platforms for expression and association –
●
Especially important in societies that discourage this expression and association offline
These same platforms have been used to target activists and communities, both online and offline – –
"Digital" security has physical security consequences Not just for you, but for your community and network
Assessing and Managing Your Risks ●
●
●
By thinking through the risks we face, we can make better decisions on how to stay safe and protect our friends and networks Managing risks to improve security is always a trade-off, there is no such thing as "being 100% secure" Tools will not make you secure – you need to think about your behaviors and practices, of which tools are one part
We Manage Risk Every Day ●
Locking office doors –
●
Crossing the street using a crosswalk versus in the middle of the road –
●
Using strong passwords or passphrases
Having the choice of more secure communications
Brushing our teeth –
Keeping our operating system and software up-to-date
These are not one-off decisions but ongoing choices we make –
Formalizing these choices can help us make better decisions
Some Language Used in Risk Management What threats from which adversaries pose the highest risk to your assets? asset = what you are protecting threat = what you are protecting against adversary = who is posing this threat risk = likelihood of that threat occuring
Assets ● ●
Assets are what you want to protect Are you protecting the confidentiality of communications or information? –
●
like the content of a chat, email, or document
Are you protecting individuals' anonymity? –
like who is in your organization's membership
Confidentiality vs Anonymity Which is important for your work? Confidentiality of content of communications? –
Documents, emails, chats, plans
Anonymity of your association with this work? –
●
Are you already publicly identified as an LGBTI activist? Are you already publicly identified as LGBTI? Do you go to meetings, parties, events associated with the community?
Anonymity for you and your work may not be desired –
But don't forget about your colleagues, allies, networks who may want to retain their anonymity given their own contexts
Threats ●
Threats are what you are protecting against – – – – – –
Access to private information (identity, contacts, location, communications) Blackmail Office raid Arrest Entrapment Physical harm
Adversaries ●
Adversaries are entities who pose a threat to your assets – anything you want to protect –
●
What is the nature of those threats? What are their capacities? –
●
the government, religious institutions or groups, political parties/movements, armed groups, family members
Reading our text messages, raiding our offices, installing malware on our devices as we cross a border, reading our public Facebook page or dating profile, harming our relationship with our family
Different adversaries have different capacities and require different strategies for mitigating those threats
Vulnerabilities ●
Vulnerabilities are your practices that make it more likely for harm to happen –
●
Always try to find your "weakest links" in security for improvement, as these will likely be what your adversaries first target
Our digital activities can create physical vulnerabilities for us – – –
Short passwords on devices Relying on outdated software Using dating websites insecurely ●
–
mobile apps (gelocation) ●
–
Scruff, Adam for Adam, Manjam, Gaydar, PlanetRomeo, etc. Grindr, Tinder, WeChat, WhatsApp, Twitter, Facebook
Sharing everything publicly by default on Facebook
Capacities ●
Capacities are abilities and resources you may already have to improve your security – – – – – –
Knowing how to create long passphrases Making regular backups of important files Telling close friends where and when we will meet in person someone we met online Checking in with friends when travelling Locking your phone and computer when you don't use it Checking your operating system and software for updates
All Together: Thinking Through Threats Threats
Digital Vulnerabilities
Digital Capacities
Office raid Police, and judiciary confiscation of devices, documents
Sensitive files (members database, emails) not protected
Backup files in separate location
Entrapment and assault
Dating website profile is public, has face picture. Dating app shares geolocation.
Always carry mobile and let friends know where and when I meet someone. Not using dating apps.
●
Adversaries
Homophobic gangs
Digital Capacities Required Encrypt sensitive files and databases, delete information securely Safer use of dating sites and apps
What are some threats you can think of for you and your work?
Thanks! Michael Carbone
Digital Security Helpline
[email protected]
[email protected]
GPG key: 0x81B7A13E
GPG key: 0x32E8A2BC
More resources: ●
●
Digital security tools and tactics for the LGBT community in the Arabic region, Security in a Box: https://securityinabox.org/en/context/01 Risk Management, EFF's Surveillance Self Defense: https://ssd.eff.org/risk