Nathan White

17 October, 2017

We owe it to each other to get serious about digital security

Credit: Michael Coghlan - Creative Commons

Civil society organisations exists to make the world a better place. Some of us work on corporate transparency, others on voting rights, and still others on government accountability. While we each have different goals, increasingly the way we work is becoming reliant on digital technologies and spaces, such as the internet. We conduct research, we collaborate, we store and share information, and we build coalitions all on the internet. For most of the past two decades, that has helped us unite and become stronger together. Unfortunately, our increasing digital connectivity also creates a shared vulnerability that threatens to undermine our work.

Access Now is a human rights organisation that works to protect our digital spaces. We operate a 24/7 global helpline for users at risk. As such, we work with civil society groups around the planet and have witnessed the increasing attacks on our digital spaces and our ability to harness the power of the internet.

In particular, we’re watching an alarming increase in the number of “Internet Shutdowns” in which governments use their privileged position to shut down entire networks. Both blunt and broad, these attacks make our work more difficult. Fortunately, groups like the #KeepItOn coalition have formed to unite across sectors to push back on this trend.

In addition to attacks on the network generally, we’re also documenting attacks on specific organisations and even specific people using sophisticated malware. These attacks make it difficult to work together, to use the tools of the internet, or even trust the data we rely on for informed decisions. For example, anti-obesity activists in Mexico reported concerns about their digital devices. In collaboration with Citizen Lab, we discovered they were being surveilled by sophisticated spyware that should only be available to governments. The example shows that all of civil society – even those members operating in countries generally thought to be relatively free – are under threat.

It is becoming increasingly clear that threats to our digital civic spaces affect all of us. And yet many of us working in civil society organisations are unaware of these threats and certainly do not have the tools or skills to combat these threats.

This issue was discussed at the International Civic Forum, held in September, in Washington D.C. Through collaborative discussion across sectors represented, we determined a great need for digital security training, resources, and a culture shift to internalise basic digital hygiene.

Participants concluded:

  • Civil society is a target for surveillance
  • Even if an individual is not targeted, we have a professional obligation to enact practices that help keep the sector secure
  • There is no silver bullet. Digital trainings are important, but we need a cultural shift.
  • Funding organisations have a key role in promoting this trend and funding it
  • Digital security audits could become part of funding applications
  • Funding organisations must commit to making funds available for security
  • Security is a process. We can always get better, but it will never be “complete”

In addition, to these specific points, we also established the ongoing need to promote awareness of digital security across the sector through discussions like the Civic Forum. There is a cliché that there are two types organizations, those that know they have been hacked, and those who don’t know that they have already been hacked. Civil society is under constant assault. We must unite. And if we don’t, all the work that we do around the globe is under threat.

Further Resources:

If you have an urgent digital security problem, you can contact Access Now’s Digital Security Helpline. If you’d like to connect with an expert about a security audit, you can reach out to the newly formed Digital Security Exchange which connects NGOs with trusted security experts. And if you want to know what goes into a serious security audit, check out the framework provided by Safetag.

Leave a comment