Digital Security is highly relevant, especially in human rights work. We talked to Daniel Moßbrucker, security advisor and expert on surveillance and data protection, about this important topic and his experiences in Uganda and beyond.
Julian: Daniel, how do we know what is generally needed for our digital security infrastructure as an organization working for human rights?
Daniel: This is highly individual and relies on your context. There are of course certain techniques that are mostly helpful, for example encrypting your communication, anonymizing your online behavior and securing your online accounts against hacking. However, just imagine you live in a country in which only the use of encryption for emails might cause some suspicion. In such a case, it might be even better to let your emails technically unencrypted, but try to hide your sensitive messages in a float of other, non-sensitive information, and to use certain code words. The process of doing such an assessment systematically is called threat modelling, which consists of four basic questions: What do you want to protect? Which adversaries are interested in your assets? Are these adversaries able to succeed? How likely is an attack? In my work with human rights organizations, we build these threat models to get an exact assessment of the situation in order to take the best countermeasures available.
Julian: Alas, theory and practice are sometimes two pairs of shoes. Setting up our own infrastructure, we realized that it can be quite a demanding task. Why is it so hard to “live” digital security?
Daniel: There’s of course a gap between theory and practice, but this is not unique for the human rights sector – that’s the case everywhere. The challenge with digital security is that the threat is invisible: If a thief wants to pick our pocket, we can make an assessment of our environment, look into our adversaries eyes, can run after them. Surveillance, however, takes place without any notice: We don’t hear whether the state intercepts our phone calls, we are not notified if our email provider hands over our messages to an investigator, and we do not realize if our accounts are hacked professionally. That’s why a lot of people underestimate the danger of digital threats, just because they are not aware of them.
Julian: What general experience have you made in your advisory work with human rights organizations?
Daniel: For human rights organizations, the core challenge is a tight budget, that mostly doesn’t allow advanced security software and hardware, together with limited knowledge and awareness of the staff. These circumstances are even worse, as the structural burdens for human rights organizations are quite special: They often cooperate systematically with other organizations in projects, so that they technically may remain one organization, but they communicate with a bunch of other organizations every day in their projects. In other words, you need a security infrastructure for your own organization, but also for all of your projects in which a lot of other organizations with their own rules, tools and needs are involved. This often leads to chaos, and bringing structure and compliance into projects is my main task as a security trainer, rather than recommending certain tools.
Julian: What are the major digital pitfalls you see for the human rights sector?
Daniel: As I said before: this is individual. However, what I observe in general is that organizations are mostly victims of attacks that are relatively basic: hacking of accounts due to weak passwords, no two-step authentication, no training to identify phishing attempts, no backups. The most likely attacks are surprisingly the ones that are theoretically easy to prevent, and that are known for more than two decades now. While the rather political discussion often deals with very sophisticated state-driven attacks, in which malware exploits publicly unknown vulnerabilities in software, the reality for 99 percent of the organizations is different. The sad reality is: It is too often still so easy for adversaries to get valuable information with unsophisticated attacks, because the organizations and their employees ignore basic steps to prevent them, so that adversaries don’t even have to use their most recent hacking tools.
Julian: You have been to Uganda recently and met with members of the DHRLab Community of Practice on ‘Digital Security’. What have you taken away from the workshop and your time in Kampala?
Daniel: It was a great day, in which we worked together on a tool that should allow organizations to easily set up their own digital security concepts. It is developed by Deutsche Welle Akademie. In the end, everybody is responsible for their own security measures, but we would like to give organizations even with small budgets as much guidance as possible to create secure and realistic solutions. The input from the local community was very helpful for us, and I was impressed by their motivation to help us and their creativity to build an innovative tool.