The following are community updates from the weekly Glitter Meetup. If you need to connect to anyone mentioned below, please reach out. We do practice "consensual introductions," meaning we have to check with the person before doing so. No names are associated with the summary notes. Please contact us if you have any questions related to these notes. firstname.lastname@example.org
- 1 March 21
- 2 March 7
- 3 February 28
- 4 February 21
- 5 February 14
- 6 February 7
- 7 January 31
- 8 January 17
- 9 January 10
- 10 December 6
- 11 November 29 & 28
- 12 November 15
- 13 November 1
- 14 October 18
- 15 October 11
- 16 October 4
- 17 September 27
- 18 September 20
- 19 September 13
- 20 September 6
- 21 August 30
- 22 August 23
- 23 August 16
What do people understand "UX" means? What are the challenges to making tools more accesible?
UX is an acronym for user experience. When we are talking about UX, we're talking about anywhere where users (of any type) are interacting with technology or tools.
- MailChimp: https://styleguide.mailchimp.com/
- Atlassian Style: https://atlassian.design/guidelines/voiceAndTone/language-grammar
- Simple Secure guidelines: https://simplysecure.org/tags/how-to-user-research/
- Meedan guide: https://meedan-ui-guide.meedan.com/
- Presentator: https://presentator.io/
- Microsoft Manual of Style: http://gen.lib.rus.ec/book/index.php?md5=881E9F18F9EA3665771923A2DF8EB061
- The Federal Plain Language Guidelines: https://www.plainlanguage.gov/
- Let's Encrypt is a big infrastucture project that helps people to get HTTPS on their websites. It is a Certificate Authority, which is part of HTTPS. HTTPS encrypts the communication between your browser and your web server, so the government can't see it. They also can't modify it!
How does Let's Encrypt work?
- For instance, the site we are on now, Mattermost, uses HTTPS.
- That means your ISP can't see what you're typing, because it's sent over HTTPS to Mattermost, so it's encrypted.
- In addition, they can't change what you are typing or the other is typing.
- The tricky thing with HTTPS, like all encryption, is how your computer gets the encryption keys it needs in order to talk to the web site.
- Your computer needs to get those keys from someone it trusts. Operating systems pick a group of Certificate Authorities to be trusted.
- So Let's Encrypt can tell you "the keys for community.internetfreedomfestival.org are XYZ"
- And because your computer trusts Let's Encrypt, it will accept those keys and use them for communication.
Is it easy to set up?
- It is very easy
- If you use whm/cpanel for web server then it'll come by default now. just need to activate it with some clicks.
Differences between DNSSEC and Let's Encrypt
- Let's Encrypt is an authority that helps you be sure that community.internetfreedomfestival.org has XYZ encryption keys
- DNSSEC allows the owner of community.internetfreedomfestival.org to publish statements that anyone can verify. So they can publish the address for community.internetfreedomfestival.org as 126.96.36.199, and we can verify that statement really came from them.
- DNSSEC doesn't do any encryption. It just ensures you have the right IP address. But your DNS lookup and the DNS response are still spyable.
- DNSSEC can't encrypt websites, since it only affects the DNS lookup.
If an isp poisons DNS records and also those of dnssec to include fake signatures our devices will notice?
- The answer is it depends~ TLS currently depends on trusting authorities like Let's Encrypt. DNSSEC depends on trusting owners of the DNS namespace, in a way!
- Report of DNS hijacking: https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
- Dashboard tool built as part of standardization work at IETF where you can test DNS-over-HTTPS: https://netblocks.org/tmp/doh/
News & Updates
- Tor Global South Online Meetup March 1st
- Information about the Localization Lab Summit happening right before the Internet Freedom Festival
The Summit is a chance to identify challenges and opportunities in tool adoption and localization. It's an event for anyone invested in making digital security and circumvention tools accessible for a global audience, promoting local content creation, and supporting more linguistic diversity in the digital sphere is welcome to apply. We are looking for folks working on Internet Freedom technologies or content for a diverse, global audience, like journalists, funders, human rights defenders, digital security trainers, community organizers, UX experts, and developers. We especially welcome communities that use or or are in need of digital security and circumvention resources that are translated, adapted, or created for their unique linguistic, cultural, and technical needs.
If you will be in town early and would like to join, you can send us an RSVP using this link: https://www.localizationlab.org/blog/2019/1/22/invitation-to-apply-2019-localization-lab-summit-amp-sprint
Anyone who doesn't sign up for the national ID scheme by March 31 will have their tax ID cancelled. Aadhaar is a national biometric-based identity scheme in India with over 1 billion enrollments. You submit your fingerprints and iris scans to enroll, and get a 12 digit random number for life. The government insists this is as invasive as applying for a visa to America or Europe, so if it's fine in the rest of the world, it should be fine in India.
From 2009 to 2016, Aadhaar operated without a law, by executive order. The bill was repeatedly rejected until 2016 when the government forced it through the lower house of parliament as a money bill, meaning that Aadhaar did nothing more than control spending from the consolidated fund of India.
This of course prompted even more petitions in the Supreme Court, which finally found time to hear the matter. In 2017, the attorney general informed the court that Indians had no fundamental right to property. The court responded with 9 judge bench judgement asserting that the Constitution of India did indeed have a fundamental right to privacy. Nine judges is pretty epic. The only way the government can overturn that is if a 10+ judge bench agrees, and that's not going to happen.
In 2018, the court turned its attention to Aadhaar itself. They opened with a statement that they will not accept a fait accompli argument, meaning no "too big to fail". If Aadhaar violates the constitution, it should go. The hearings ran from January and the judgement came out in September in which they accepted that the government's powerpoint presentation that the data was secured behind 13 foot walls with commandos guarding it (not kidding) was good enough, so Aadhaar could stay. 4 of five judges in favour, 1 in scathing dissent, and the only one treating it as a constitutional matter.
Of course they can't take away the tax id. Not in law, and not one month before national elections. India has a government that keeps trying to get away with strong arm tactics. They've clearly bent the court. So their threat will be eventually overturned, but life will be hell for those who resist.
You can find more information here: https://medium.com/karana
Venezuela has been experiencing social media censorship. The phishing campaign happened on the 22nd of Feb during the live aid concert. At the end of the concert Richard Branson mentioned the social media blockages during his closing speech and invited people to shout 'libertad' which was very powerful https://twitter.com/NoticiasRCN/status/1099086785555152896
Now Maduro's goverment has a habit of blocking social media platforms whenever Juan Guaidó appears on TV. Yesterday for the first time they blocked Twitter. We are %100 sure of the reason, related to his tweet which includes an audio file uploaded on Soundcloud. https://netblocks.org/reports/twitter-blocked-in-venezuela-noy9d4B3
How would we define DNS and DNS spoofing?
DNS Spoofing is a technique use to confused users, with the outcome usually trying to trick users into going to a malicious website. Basically DNS turns domain names into IP addresses. If you can interfere in that process you can redirect people and their information to malicious IP addresses. Is used for blocking websites, lying, or stealing data.
- One participant pointed that DNS is a network of servers ran by different companies and governments. Usually when you connect to the Internet your ISP will provide you with a DNS server, but you can have others. That means that you can choose your own DNS and you dont depend on the one the company gives you.
- Other participant also added that, apart of what others said, a DNS could be the technology that help us reach places on the internet with just a name (domains)
- It is made easier by the fact that the DNS queries are mostly unencrypted and unsafe, that is why there are a lot of projects trying to make DNS better
DNS Spoofing Cases
- Article explanning in simple words and draws what is DNS and how the attacks work: https://www.derechosdigitales.org/12841/venezuela-cuando-el-atacante-es-el-gobierno/
- A case where entire DNS services are blocked, to encourage using state-run ones: https://turkeyblocks.org/2018/04/02/new-cloudflare-dns-service-filtered-turkey/
- When Wikipedia first started being blocked in Turkey, DNS poisoning was used first, then the SNI filters kicked in for full cover: https://turkeyblocks.org/2017/04/29/wikipedia-blocked-turkey/
- IIRC, Turkey in 2016 also filtered 8888: https://labs.ripe.net/Members/emileaben/internet-access-disruption-in-turkey
- during the catalan referendum they were also messing with DNS https://www.independent.co.uk/news/world/europe/catalan-independence-referendum-spain-websites-blocked-spanish-constitution-votes-a7971751.html https://www.theguardian.com/world/2017/sep/27/catalans-compare-spain-to-north-korea-after-referendum-sites-blocked
- situation in Thailand during IETF103 Bangkok. A lot of work happened there to strengthen secure DNS (DoH and DoT), you can see our public interest hackathon: https://netblocks.org/news/rights-and-privacy-next-generation-internet-protocol-stack-ietf103-WRAeVWBg
DNS spoofing in Venezuela and why we should be worried about it from a technical perspective
The biggest (public) ISP used DNS spoofing to redirect people looking for an oposition volunteer registry to a fake cloned site. The worst part is that even DNS requests to other trusted DNS servers where intercepted and also altered. And the people running the fake site captured some data and published it maybe to persecute those people registered in the fake site targeted as oposition activists.
DNS spoofing prevention
- Use Tor!
- The community has to act fast
- Advocacy and a public outcry is useful when the attack is done
- Use VPN with Firefox with DNS-over-HTTPS enabled, so you make sure you're not using misconfigured VPNs with DNS Leaks (VPNs are sometimes non-trivial to set up and some setups may have bugs that send DNS queries to ISPs without VPN)
- Push technical community to use DNSSEC
Since all participants agree that the best way to solve DNS spoofing is through outcrying, we start to talk about the outcry strategy:
- the noise make other people in this community to share experiences and to vpn companies for example to research more and help us to access in an easier way to their service
- part of the problem of creating outcry is difficulty explaining DNS and the attack, without confusing folks. Lack of coordination to reach journalists, and lack of coordination to reach users.
- using networks of your communities in other countries
- In Venezuela helped a lot to create a network of internet research activist group to agree on actions and to share responsability reaching certain actors:
- report fake websites
- monitor social media and report trolls
- talk with affected site admins
- make basic security assessments to websites
- find contacts in providers (hosting, browsers, etc.) to enable comm channels
- a long etc
After advocacy and outcrying, we founded that the best practices is using DNSEEC:
- For consumers, DNS-over-HTTPS and DNS-over-TLS may be more practical options than DNSSEC.
- It's like https for DNS severs(!): it helps to guarantee authenticity to those who verify it.
- Queens successfully kicked out Amazon - the largest corporation in the world! It was a beautiful campaign win led by women of color activists. Learn more here: http://gothamist.com/2019/02/15/who_killed_amazon_deal.php
Venezuela context: The latest presidential elections were widely regarded as illegitimate, in Venezuela and the rest of the world. The date of the new term came, and the opposition-led National Assembly (Congress) declared Maduro to be illegitimate and per our constitution the president of the Assembly, Juan Guaidó, was declared interim president of Venezuela. Maduro didn't recognize that, so Venezuela, in a manner of speaking, currently has 2 presidents. Guaidó has been recognized by most of the international community and controls several international accounts and assets, but Maduro controls the assets inside Venezuela including the military
Connecting with the technical issue: One of the first things the Guaido-led government did was to accept international humanitarian aid (the Maduro government has been refusing that for years). They also released a website, voluntariosxvenezuela.com, to gather volunteers for the process of receiving and distributing that humanitarian aid
There's a lot of confusion to what is happening in Venezuela, and some of the lastest updates are:
- Since some time ago we are seeing selective blocks to sites of social media and other interesting critic sites
- A couple of days ago there was a big concentration about "youth day" and Juan Guaido announced that the humanitarian aid will enter the country on feb 23
- There is a website of registration of volunteers, this site wass cloned by people related to the regulatory organism (Maduro administration), and apparently tousands of volunteers where redirected there and they gave their data to the Nicolas Maduro regime. They also have a structure in place that would allow them to do phishing on a lot of other websites, including google and social media. They have a lot of .ve domain names that are very similar.
Has there been any attempt to block VPNs and/or use of DNS over TLS / HTTPS? (this is actually an interesting use case for Google's Intra app)
Historically, they blocked Tunnelbear. But there're not signs of other common vpns blocked currently. VSF has pcaps proving DNS injections and responses from the servers.
Do we know anything about the technical people doing the blocking? Have you seen the techniques become more sophisticated?
The techniques are becoming way more sophisticated. Years ago, there were only basic DNS blocks and since last year, we have seen blocks on Tor and now this. They started SNI filtering last year. This year, they started presionly-timed short SNI blocks in a very tactical way. And started blocking some ooni servers to try to stop croudsourced ooni measurements campaings we ran.
It would be interesting to know if the people doing this are home grown talent, or imported.
At the moment everything points to local staff but we don't know yet for sure. They do use foreing companies like DigitalOcean and GoDaddy for this.
In regards to communication, how is the new president (Guaido) communicating with the people curerntly?
Social media is definitely the way. Youtube/Instagram/Twitter have been blocked when Guaido livestreams or has big announcements.
Do you people there in Venezuela have sort of any "national" or "local" social network which is mostly popular in the country (or the area)?
Not really. Facebook, Twitter and Instagram are the most used. And A LOT of Whatsapp
What is the connectivity/internet penetration rate like?
It used to be good, through cellphones, but it's getting progressively worse because of the economic situation. Internet infrastructure is terribly, and by many metrics Venezuela has one of the worst internet services in the region and the world.
It's a bit worrying that most people still get news from TV and radio, which is mostly controlled directly or indirectly by the Maduro government. People often don't know if the errors are just faillues or censorship. That's why for years we have been documenting this, so that the poeple actually realize the level of censorship they live under.
And - apart from blocking of websites - are there any negative legal consequences in Venezuela for speaking in public (online) against the Maduro's regime? For example, these activists who run the website on humanitarian aid / volunteers - do they face any legal threats specifically for their online activity?
Yes. VSF is currently in record territory regarding political prisoners. Is random but historically people got arrested (since 2 years ago at least for tweeting things). The courts, the police and the military are still controlled by Maduro. Until that changes, things actually get worse because they feel cornered and need to crack down on dissent
There is a case of a person who just tweet publicly availabel information form flightradar.com (or similar) and was held incommunciated, tortured and charged with treason beacuse he included publicly available information on the flight path of the presidential plane.
What do you think is going to happen in the next year?
A big difference, and a good one, is that there is hope now. Up until recently there was only resignation. This gives people a light at the end of the tunnel. There are may scenarios of what might happen, it's a very difficult and sensitive situation
- Report on the phishing incident in Venezuela
- Report on the phishing incident for folks following along in English: https://securelist.com/dns-manipulation-in-venezuela/89592/
- Detailed evidence of SNI filtering was published http://vesinfiltro.com/noticias/wikipedia_2019-01/
- 989 political prisoners right now https://twitter.com/ForoPenal/status/1095670524703854592
- What is going on in Venezuela: https://www.youtube.com/watch?v=bEvHwiJWgAY
- Today, we have a special guest: Xeenarh, she has been one of the most impactful digital security trainers in our space. Last year, she recently got hired as ED of Nigeria's The Initiative for Equal Rights (TIERs) wwww.theinitiativeforequalrights.org which protects and supports sexual minorities in Nigeria and surrounding areas.
- TIERs are open 7 days of the week till 8pm and run a clinic with 2 doctors and a nurse so that even folks who have long working hours can stop by to see a physician that is emphatic and they can be open and honest with. They provide free legal services for protection of rights (against state or non state actors) and they do a lot of work in the media (books, movies, series, documentaries) so that they can change hearts and minds while changing the law. Now they have a Safety and Security department to run that here at TIERs.
- One of the greatest shifts they have seen within the region and in the movement is the embrace of new technologies, and the acceptance that it comes with certain risks that people should take precautions on. Where in 2013 organisations were reluctant to adopt some changes, its a lot different now. People are less surprised about capabilities of states, corporations and technologies, and are always open to learning what they can do to minimise harm.
Questions & Answers
- What do you think is the biggest challenge orgs like yous have in regards to digitsec?
- I think the biggest challenge for holistic security for orgs is taking time out to implement existing policies. Things move so fast and is usually life and death (or a stint in jail) for folks we respond to that people will push back so they can do 'more important' stuff. But some organisations are better than others and the biggest difference is size. The smaller the team, the faster they adapt and the longer the change in attitude lasts.
- With the upcoming elex and the world watching is there an opportunity to shed light on underrepresented issues? Will potential conflict and partisanship put the LGBTIQ+ community at particular risk? What can we do to help?
- Elections are always a good time to shed light on marginalised communities (disability, homelessness, LGBT folks). LGBT people were front and centre a couple of months ago when presidential aspirants were asked their position on criminalisation on same sex love and they all had to find moderate positions as opposed to the antagonisms of the past. And although the rhetoric of homosexuality being a western import and being 'unafrican' has been reducing greatly in the past 4 years (the decriminalisation in Angola and the pro lgbti judgements in Kenya have really helped) we are still nervous a public partisan position would be the excuse evangelicals need to rehash that line. As for what can help, giving tools and tactics to groups and frontline activists on how to deal with issues. Fake news is really big here (I curse the day whatsapp groups became a thing, sigh) and there is a likelihood that there might be violence if the sitting president loses. Keep talking and writing about Nigeria and marginalised groups as our country often bows to international pressure and embarrassment. There's also a teeny tiny possibility that the internet could be shut down (as with other elections on the continent) so talking ahead of time to ensure that doesn't happen would be helpful (I should send the handles to tag soon). We are also working on what to do IF that happens...
- what responses have you seen around the group running a project called Una Hakika(https://www.unahakika.org/) which was an attempt to evaluate rumours within Nigeria, in terms of tools, approaches or groups working on pushing back on propaganda?
- So there are tons of people who started working on this in 2018, like verify, dubawa, election fact check, Africa check.
- TIERs award winning book She Called Me Woman: https://www.amazon.com/She-Called-Me-Woman-Nigerias-ebook/dp/B07BH96DQL
- Season 1 of their show Everything In Between: https://www.youtube.com/watch?v=4NBbxEP4pOs
- Documentary Veil Of Silence: https://www.youtube.com/watch?v=wR5dOIUOUjs
- Repeal162: https://www.repeal162.org/
- 1984 is a web hosting company in Iceland that hosts a lot of activist sites, and is linked to security trainers, the Icelandic Pirate Party, and lots of people at IFF
- What can we do in particular instances to help strengthen solidarity,maybe using the Glitter Meetups as a tool in that?
- On of the first things we have to think of is what do these local communities expect as international support and what are their particular needs. We always have to keep in mind that each community is different and they'll need their own specific help or resources.
- One participant pointed that crowfunding specific resources or networks could work.
- A Canadian internet company called Netsweeper is censoring LGBTQ web content and other content protected under international conventions on behalf of numerous regimes with atrocious human rights records.
- Citizen Lab’s latest report used a suite of detection tools to uncover Netsweeper installations in 30 different countries, including 10 that have “raised systemic human rights concerns”: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, the United Arab Emirates, and Yemen.
- According to Citizen Lab’s findings, Netsweeper filtering solutions blocked media sites in Yemen, political campaigns in the UAE, and religious content in Bahrain. But particularly troubling is Netsweeper’s “alternative lifestyles” blocking category, “which appears to have as one of its principal purposes the blocking of non-pornographic LGBTQ content, including that offered by civil rights and advocacy organizations, HIV/AIDS prevention organizations, and LGBTQ media and cultural groups,” the report states.
Questions for next speaker:
- Can you introduce yourself and your organization?
Pablo is part of the team at R3D. Red en Defensa de los Derechos Digitales or The Network in Defense of Digital Rights (R3D, is a Mexican organisation dedicated to the defence of human rights in the digital environment . R3D focuses on defending and promoting human rights in the digital realm through a combination of applied research, advocacy, and litigation strategies. Its work cuts across the themes of privacy, surveillance, freedom of expression, access to the internet, and access to knowledge.
Adam is the Operations Manager at the Citizen Lab at the University of Toronto and Miles is the Communications Specialist at the Citizen Lab. Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
- What is Netsweeper? What does it do and how does it work?
Netsweeper is an Internet filtering product developed by Netsweeper, Inc., who are based in Waterloo, Ontario, Canada. It's used by network administrators and ISPs to control access to content on their networks. It inspects the traffic of users on the network, and if a user requests content that belongs to a prohibited category, it will block it. One of the key features of the product is a web categorization database, where the company assigns websites to a set of content categories. The company posts 'live stats' on the number of web pages here: https://www.netsweeper.com/live-stats/
- What are the Citizen Lab findings that were so troubling?
Citizen Lab published a number of reports on the use of Netsweeper to block protected speech, and in countries which raise human rights concerns. You can read all of our research on this topic here: https://citizenlab.ca/tag/netsweeper/
They found that this technology was being used to filter a range of content, including critical political websites, independent media, and religious content. In five of those countries, we found instances of LGBTQ-related content being blocked.
In some cases, custom block lists were created that prevented access to LGBTQ news websites, critical health information on HIV/AIDS and advocacy organizations like the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA). In other instances, non-pornographic LGBTQ content was miscategorized as pornographic by Netsweeper.
Maybe most troubling, they found that in UAE LGBT content was blocked because it was categorized as belonging to the ‘Alternative Lifestyles” category. Netsweeper describes that category as: “This includes sites that reference topics on habits or behaviors related to social relations, dress, expressions, or recreation that are important enough to significantly influence the lives of a sector of the population. It can include the full range of non-traditional sexual practices, interests and orientations. Some sites may contain graphic images or sexual material with no pornographic intent.”
Their testing in UAE found a variety of websites blocked because they were categorized as ‘Alternative Lifestyles” - GLAAD, the Human Rights Campaign, ILGA, the Gay Men’s Health Centre, and Queerty, just as examples. There are likely many, many more examples which could be included here. It’s obviously quite problematic that they’re using the term ‘alternative lifestyles’ to describe LGBTQ identities, and that they’ve facilitated the easy blocking of LGBT content by allowing administrators to simply click a single box.
Censorship cuts deep many Human Rights that are crucial to guarantee the wellbeing of every human being, but even more of those communities that remain underserved, especially in authoritarian regimes.
In the case of Netsweeper, it’s especially alarming because in many of the countries in the MENA region LGBTQI+ populations are criminalized; not having access to life saving information or to communicate to organizations that can support LGBTQI+ folks in case of emergency.
Citizen Lab has identified Netsweeper in 30 countries. In their "Planet Netsweeper" report, thei focused on 10 case studies of concern. You can see them here: https://citizenlab.ca/2018/04/planet-netsweeper-section-2-country-case-studies/
- Your org R3D has launched a campaign with All Out. Can you explain what are the demands?
R3D found that if they wanted to highlight issues from the LGBTQI+ communities they required to work together with LGBT-led organizations. They also collaborated with Citizen Lab in the past, so bringing the campaigning experience from All Out was that extra push R3D required.
They see that it is time to bring Digital Rights to other movements, to support each other and top working in sylos.
R3D has a Github repository that helps them to collect contributions, and outline the participation process, as well as needs from the group. It's still in development process. https://github.com/TecnoQueers/OutintheOpen/blob/master/README.md
What was really upsetting to R3D and All Out is that Netsweeper has received investements in mutiple occasions from Canadian governement; that they are seen as a good company to invest, and that the Canadian government is not really that interested in holding their accountable for providing this kind of services.
So once more R3D is seeing a case on which governments promote companies that develop software and provide services that are not aligned with the international Human Rights legal framework.
R3D and Citizen Lab know that the Canadian government has offered a variety of different types of support - funding grants, support on trade missions, etc., to Netsweeper.
Both have tried to highlight the contradiction between the Trudeau government's foreign policy which supports LGBT rights globally, and their support of a Canadian company which is selling a tool that facilitates the easy blocking of LGBT websites.
In August, Canada and Chile co-hosted the Equal Rights Coalition (a group of states and civil society organizations that addresses issues related to LGBTQ2+ equality). In the lead-up to this, Citizen Lab sent the ERC and relevant Canadian politicians-- including the Prime Minister and his LGBTQ2+ advisor-- a letter urging them to: condemn LGBTQ2+ censorship; commit to taking specific and measurable action to prevent and address the censorship of LGBTQ2+ content; and affirm that Internet filtering technology providers have a responsibility to respect the human rights of LGBTQ2+ persons by ensuring their products and services do not facilitate censorship of LGBTQ2+ content, and to provide a remedy when such censorship occurs.
The letter can be found here: https://citizenlab.ca/wp-content/uploads/2018/07/citizen_lab_open_letter_erc_sm.pdf
As a part of the UN Guiding Principles on Business and Human Rights, all governments, including Canada, have an obligation to protect against human rights abuse by the private sector, including to “set out clearly the expectation that all businesses enterprises domiciled in their territory and/or jurisdiction respect human rights throughout their operations”, including extraterritorially.
Citizen Lab described all the different types of support the Canadian government provided in section 3.4 of this: https://citizenlab.ca/2018/04/planet-netsweeper-section-3-discussion-conclusions/
- How can other organizations and individuals working on digital rights get involved?
Out in the Open emerged from the need of creating local partnerships to share knowldge, campaign together, and build the capacity of LGBTQI+ orgs on digital related matters. It is a partnership to share knowledge, campaign togeteher and build capacity.
Out in the Open is now in an early stage, making needs assesments and understanding how much work there is on LGBT and Digital Rights.
- If someone use VPN, what will happen? Netsweeper blocks it as well?
Netsweeper does have a content category for "Web Proxies", but to our knowledge in most cases if you already have a VPN configured it will let you circumvent the blocking.
- How can individuals communicate why bringing light to technologies like Netsweeper is important, particularly for LGBTQI communities?
The first step is helping the general public understand that human rights and digital freedoms go hand-in-hand. We are seeing a growing understanding of this as people develop more robust digital lives and as media sheds light on how technologies used can be abused.
The next step is highlighting the inequalities when it comes to HOW these technologies are abused and WHO are most likely to be impacted.
A good rule of thumb is: people don't care about reports; people care about people. So putting a human face on these technical issues is paramount to galvanizing support.
- Is there anything folks in the IFF community do to help improve this research, help collect data, or anything at all to help?
Citizen Lab used a variety of data sources in their Netsweeper reports, and one of the most important is OONI. So run OONI if you can! That might be an obvious suggestion to the people in this meetup, but that data is exceptionally important for informing reports, and Citizan Lab thinks advocacy work is strengthened when it can point to empirical research and data.
- Digital Resources and Recommendations on LGBTQI communities:
DIY Feminist Cybersecurity kit: https://hackblossom.org/cybersecurity/
VPN released an online safety manual for LGBTQI communities: https://www.vpnmentor.com/blog/lgbtq-guide-online-safety/
NYC Anti Violence Project released a Safety Tips for Dating apps here: https://avp.org/resources/safety-tips/
- New report and findings by one of the participants & Aspiration Tech: https://aspirationtech.org/humanrights/reports/practitionersustainabilitysurvey#findings
- How apple is censoring the app store in 150 markets around the world - https://applecensorship.com/
- In Privacy LX they are starting having cryptoparties and Privacy events every month: https://privacylx.org
- Just Associates built this feminist glossary: https://justassociates.org/sites/justassociates.org/files/feminist-movement-builders-dictionary-jass.pdf
* On the Training and Best Practices Theme: There are lot's of interest in gamification to explain digisec to cso's and even regular organization staff which is a great step.
* On the Frontlines Theme:
- A lot of countries from Global South want to present the access challenges to the developers and elections and social media. they want more ability to communicate directly to the developers.
- There're a lot of similarities between regions of Global South regarding to non profit development. For example, in east africa, people are talking about doing trainings in the areas where even the electricity is limited, and the capacity of the smartphone people are using. it is the same in Myanmar as well, when we train the investigative journalists, most of them cannot use signal or wire most of the time because of their devices.
- Maybe a Global South developers coalition would work.
- we have to work on finding ways to empower more GS developers to start creating apps/tools that would better work in their community
- developers engagement with the community, mostly the apps/softwares are build before talking to the community
- apps are not going to work on feature phone. and the USSD are controlled by telco or goverments. We need to know what exactly need for the community. every single community needs are not the same
November 29 & 28
* Greenhost Survey Greenhost hosting a survey to find out what tools people are using, so they can improve the services they are offering: https://survey.openappstack.net/164475
* Update from Singapore: The Prime Minister of Singapore is suing a 65 year old Singaporean (civil rights activist), Leong for civil defamation, for sharing on his Facebook (without any comment) a Facebook posting from thecoverage.my (a news media web site in Malaysia) of an article on the involvement of Singapore and the Prime Minister in the 1MDB scandal in Malaysia. We condemn this action of intimidation to curtail the freedom of expression (for reference and information on a private and confidential basis only) - 9.11.2018 email demand from the InfoComm Media Authority of Singapore (IMDA) to delete the Facebook post within 6 hours (deleted immediately), 12.11.2018 Letter of Demand giving 3 days to publish apology, compensate damages and pay costs. 16.11.2018 Letter to commence legal proceedings and asking for legal counsel's name to receive the writ of summons.
* Last Week in India: Dalit Woman made Head of Twitter Cry by Describing Caste Issues on Twitter
On Nov. 13, Jack Dorsey, the Chief Executive Officer of Twitter met with several women journalists and activists in New Delhi to talk about online safety in India. Women journalists and activists from religious and cultural minorities face relentless harassment and abuse on Mr. Dorsey’s platform. The meeting was aimed at helping him and other Twitter executives better understand the magnitude of the problem in India. Sanghapali Aruna, who runs Project Mukti, an organization that leverages technology to empower Dalits to fight caste prejudice, was among the attendees. When Ms. Aruna met Mr. Dorsey she had already left the platform to avoid threats to her physical safety following a doxxing incident after which she was confronted and attacked. As she shared her experiences of discrimination and intimidation on Twitter, Vijaya Gadde, chief legal officer of Twitter, openly wept. After the meeting the participants in the closed meeting posed with a poster of Equality Labs that said Smash Brahmincal Patriarchy. That set off a firestorm in India where upper caste trolls essentially tried to make the issue about the poster as opposed to the issue of online safety in twitter. A bunch fo folks then launched a global solidarity campaign and the whole issue went viral. https://pad.riseup.net/p/indiacall
Many of the activists global relationships is what were able to put the situation into play in order to make this moment really spin to an advocacy moment. Having global internet freedom and wikimedians dedicated to their cause come out was super powerful. It is also a testament to how art is crucial in social movement because the poster was the match that set the whole thing off. In India people are exhausted by the troll armies and in the last week alone the BBC, TWITTER and the Swedish embassy have all been attacked.
Background: The Indian troll phenomenon comes from the 2014 Prime Minister elections where Narendar Modia and the BJP It cell built one of the largest troll opreations in the world. They did not dismantle it after he won they grew it and it is this troll army that has weaponized all the platforms in india including twitter, facebook, and whatsapp. It is both humans and bots and rich app ecosystem. You can read more here: https://mashable.com/2016/12/27/bjp-planned-online-trolling/ AND ALSO here https://gulfnews.com/world/asia/india/when-narendra-modi-and-his-troll-army-massacred-the-freedom-of-expression-1.1542607702139
Caste is on of the oldest systems of oppression in the world. It is a system that separates on the basis of what family your born into and there for caste which determines the whole of your life. The ruling party the BJP in India is Hindu fundamentalist party. Its goals are to create an ethno religious state that consolidates brahminical religious control of India. And uses violence to distract from its larger goals of land and labor exploitation. Caste is it is a system that separates on the basis of what family your born into and there for caste which determines the whole of your life.
Demands of Indian Marginalized Groups to Twitter
1) Twitters lack of reporting mechanisms for the problems of caste. They need to incorporate this.
2) They want to have linked a feminist approach to the internet as part of the platform accountability because the troll culture itself is feminists and casteist and so its a really great example of how global feminists solidarity can not only help in fighting back but also putting forth visionary options.
3) They are also looking at how to get platforms to stop talking about individual harassment and to start talking about disinformation. The platforms are very reticient to do that and the activists have to do a lot of political education to get that there
Global Solidarity: What the IF Community can do to help:
Things that the community can do to help with the current situation, besides the call to action
1) Join the Coalition: Dalit women are working with colleagues in Viet Tran and Myanmar to launch a coalition of global south groups working on platform accountability, so they can leverage global positions in battles like this. Among many reasons this group was started, countries from the global south represent 70% of the market and yet their issues are always put to the bottom of priorities. Organizations should reach out to XXX, XXX, or XXX on IFF Mattermost (or contact the IFF) if our organization wants to join the coalition.. The group wants to figure out how Twitter and fb are effecting people in their own context and is there away to leverage this conversation into a global accountability convo. (They note that these companies work like colonial outfits and their local representatives do not have as much power as silicon valley anchors, so important to raise this issue in US as well).
2) Sign the Letter: They are continuing to ask Twitter to address the issue of caste and the issues of harassment and disinformation on its platform. The activists will be circulating a letter with an ask for signatories for people to ask twitter to add caste.
3) Support Feminist Internet: They have linked a feminist approach to the internet as part of the platform accountability because the troll culture itself is sexist and casteist and so its a really great exmple of how global feminists solidarity can not only help in fighting back but also putting forth visionary options.
4) Share news/stories up from all over the world showcasing how these social media companies are affecting the local context by not being responsible, to help raise awareness.
. . Long Term Goals to help with Social Media Problems
1) More investment to develop talent in the Global South. It takes time and effort to develop leaders who can speak at international levels.
2) More Global South folks doing innovation derives to develop more tech from their communities.
3) More investment in capacity building.
4) Creation of hackathons or other projects for visionaries from global south so as to build a feminist internet and free ourselves from colonial models of tech. "We have to move out of rapid response to visionary."
Glitter Meetup Participants Feedback and News:
- Countries form the global south represent 70% of the market and yet are issues are always put to the bottom
- Twitter's side there is no understanding of caste, local culture, languages, slag etc.
- Some governments are the biggest supporters of trolls, having the biggest IT cell to spread trolling and fake news. Examples: @ https://thewire.in/politics/up-bjp-cyber-sena-social-media-voters @https://www.thewire.in/politics/narendra-modi-amit-shah-bjp-india-media
- The government of Egypt force Twitter accounts with more than 5000 followers to register as a media company
- Social media is creating health issues in certain places and even threats on the lives of people/activists. For example, a lot of people are trying to live up to what the media expects of them...and it's caused an increased rate of depression
- Elections are pivotal for misinformation on SM: cause there is a lot of information being shared either to campaign for or against someone which can also be true or false. In our country this year there was an increase of misinformation or fake news to the extent of sharing fake results online using SM platforms of prominent people with a large number of followers
- In Zimbabwe, there has been a real increase in hate speech/disinformation in the Zimbabwean context for the past two years mainly because they were going into elections and the president was over thrown. Difference in opinions has triggered a lot of hate speech
- For Facebook there's a massive problem for countries in Southeast Asia and in East Africa, Latam...Basically any place that Facebook is used as both a tool to organize or to publish. Irreparable violence has stemmed from misinfo, hate speech in India & Myanmar. Facebook and the platform itself has been slow to counter, to the point of negligence. it's now become the standard for twitter as well.. both platforms are having a hard time dealing with fake news, bots. One of the issues is that these platforms seeks to be an international force but does not hire local talent that can help the company understand local context, leading to shitty policies crafted...leading to deaftone responses when harm has been done
- In Bangladesh, there are multiple players working to spread fake news and miss-information for upcoming election.
- Mexican journalists have reported that attacks against them on SM has increased in the last year.
- Flexibility of Mastodon as a Twitter replacement. They believe that If people who being targeted start using mastadon/etc, purely through "it being extra work for a troll to move there" it will (possibly) reduce the trolling. But if the trolls are financed by the government/powerful entities this move won't stop them. If the trolls actions are against the law, the most logical step is to go after the troll arm actions, the supporters/financiers of the trolls. If it is a powerful entiry/government, well thas a fight that twitter must have if they want to really support their users.
- Internet companies need to support the underrepresented more than others. if they are going to get into markets where there is inequality, they need to try to educate, or provide access to education for people to challenge incorrect or discriminatory views.
- Social media companies should hire more local talent that understand the problem, have better policies to deal with hate speech, and craft better technical solutions to counter things like phishing, fake news, bots.
- Facebook are testing and slowly rolling out ways to counter fake news, but that process should be informed by the folks who are most affected by fake news.
SOME RESOURCES or NEWS for FAKE NEWS AND MISINFORMATION
- Great report from BBC about fake news and casteist troll infrastructure https://www.bbc.com/news/world-46146877
- Troll Busters was created by a black woman journalist in the US who was tired of seeing trolls attack other women journos. troll-busters.com
- Everyone should install https://www.newsguardtech.com/ which helps you verify sites of information.
- The most difficult thing about working with other trainers is to get all team members focused on the result. We all are stuck to our practices and experience to some extent. Some trainers just cannot choose a different perspective. It's not easy to say: "Allright, there's a presentation (an exercise, a RPG, a quiz, etc.), let's make it as good as we can using all our resources"
- One of my big reasons to go to IFF is to discuss what are good ways to make the most collaborative teams. We don't have a single brilliant receipt for a cool collaborative team. A participant suggested several sessions for IFF. One of them will be about team building for holistic security trainers. To share the positive experiences: Did you manage to involve “other” experts into this work effectively? If yes, how did you get them out of their nutshells? Did you have any positive experience with organizers of events and donors so they supported your holistic approach?
- Holistic security approach involves different aspects: digital, psycho-social, physical, legal. It can be rather difficult to join efforts of experts who used to work in their narrow fields, mostly because they see little perspective. “I’m a legal consultant, please keep all that computer tricks away from me”. Or: "We want a digital security training on how to protect our social network accounts, we don't need a psychologist, we are OK".
- Other participant pointed that we should talk more to each other - from their experience, we all do our homework before a training, we go and make sure we have the most updated info on things... They think we should share this with one another, and also,They think we get the same questions... so sharing that too should become a thhing we do.
- There is a big gap between tech skills and basic dig sec training skills.
- There's a gap between tech skills and training skills
- We need to build more programs and talk more with funders to not rely on unicorns who can do both, but support teams
- The participants conclued that it should be a combination of things: Security audit (safetag) + security development plans + trainings plus general enlightment
- Trainers need resources and financial support but there are tons of things that we need to do and that are not being done or being done unsufficiently. For example, people who produce various sorts of educational products such as guidelines, online courses, interactive exercises and even articles are able to get feedback before they come out with final versions of their products. This could help to fix bugs, reach audiences in different regions/cultures, strengthen our working contacts.
- some groups are generating so grerat materials super segmented to certain groups that outside that group the material is impossible to adapt, and the the knowledge isn't applicable to other audeinces and get lost.
- does it also include more people moving out of google mail and google docs because that might be secure but does not support privacy and is still the most used solution by our kind of organisations and donors
- Manuals are the best resource but it depends on the trainer.
- IMHO content should always be written starting from the needs. Ideally a good training content is a content that has been elaborated with the people the training is aimed at. Check for instance the very good manual against online and offline harassment created by tactical tech for women and trans* persons. It has been created in collaboration with those communities. The content and the creation process of this manual are excellent.
- there's value in shared core materials, tools, and approaches, but to actually provide a good service, you really have to tailor it to the needs of who you're working with.
- all such recommendations survive only if they are updated regularly and in time. Also, it's super important that they are constructed in a way that make them easy to be adapted for different contexts (cultural, political, social)
- There isn't a space where conversations between trainers happen.
- On participant said that they feel there are core components of Holistic-Security and Level-Up that are useful for a very long time; but anything that starts talking about specific tools or technology gets outdated (often dangerously!) quickly. It would be nice if they not wait until the upcoming event but do some development (more beta testing if needed) before it, there's much time ahead.
- sometimes even "basic" explanations are not good enough. For example, 2FA by SMS is not advised by many authords because the technology itselt. However, there's another argument which work better in our local audiences - a threat of SMS duplication. for anything to last and be flexible, it has to be super high-level, and then be adapted as the threats and tech changes, as well as respecting different contexts (2fa using an app or hardware device my be financially unfeasible)
- There's one gap that trainers/experts can easily fall in: believing that their audience / country / context / particular group / etc. is way too special so other experience isn't much applicable
- Digital Rights Monopoly Toolkit: https://drive.google.com/drive/folders/1EFE-NRBw8TIReU-xxjqjPHJa8-Bqcq3F
- Ranking Digital Rights (or RDR) is a research project that sets global standards for how companies in the information and communications technology (ICT) sector should respect human rights. They focus on privacy and freedom of expression, and last year they analyzed 22 different internet and telecommunications companies around the world (https://rankingdigitalrights.org/index2018/). Basically, none of these companies give users enough information to understand how their freedom of expression and privacy are affected by using the companies' products
- The companies in governing privacy and freedom of expression have a huge role at least as important as many governments.
- In 2012, Rebecca MacKinnon, director for RDR, puplished Consent of the Networked, that explains how tech companies and internet service providers collect massive amounts of data on nearly everyone on the planet, and have incredible power to censor, filter, and otherwise control the content that people read and post online https://consentofthenetworked.com/
- RDR can't measure what actually goes on inside companies, so instead they measure what companies SAY they do -- what kinds of commitments they make to their users and they look at 3 main kinds of disclosure: 1) governance (how the company makes decisions related to human rights) 2) freedom of expression (rules for what people can say and do online, and how they're enforced) and 3) privacy (data collection, data sharing with governments, technical security, etc)
- Chinese companies in 2017 https://rankingdigitalrights.org/index2017/findings/china/
- Russian companies in 2017 https://rankingdigitalrights.org/index2017/findings/russia/
- internet policy in Russia: https://nathaliemarechal.files.wordpress.com/2018/08/networked_authoritarianism_and_the_geopo.pdf
- for Nigeria, a lot of service providers do not handle data privacy so well and they are usually exchanged with third party org. a lot
- As a result of RDR work, the companies are making small changes. The biggest change from 2017 to 2018 was Apple: thanks to RDR efforts, they now call privacy A FUNDAMENTAL HUMAN RIGHT on their website, startup screens for Macs and iOS devices, and more. And, they just released a database where anyone can see ALL the different kinds of info that Apple has about them -- it's only available in the EU and US right now (i think) but they're in the process of rolling it out worldwide.
- you can see all the year-on-year comparisons here https://rankingdigitalrights.org/index2018/compare/
- Other people can use RDR methologogy in their own countries. All of their material is creative commons, and their team is super happy to help people figure out how to build on their work. There's a list of RDR adaptations here, so you can get an idea: https://rankingdigitalrights.org/adaptations/
- A good example is from SMEX, comparing all the telcos in the Arab League companies: https://smex.org/dependent-yet-disenfranchised-the-policy-void-that-threatens-the-rights-of-mobile-users-in-arab-states/
- Russian legislators often say "it's only the international experience of the most advanced democratic societies we rely on" when they propose yet another repressive draft law. For example, they say, it's FARA that we followed when we labeled the most active Russian human rights NGOs as foreign agents. It's good to have more people from abroad speaking that what's going on here is actually NOT any "international experience", at least not the best one. I wonder if arguments of this sort are used by legislators (and those who implement such repressive laws too) in other countries and whether investigations made by teams like RDR help you in any way when you oppose such practices.
- A positive surprise was Kakao, in South Korea, a company that has lots of users around SE Asia:https://rankingdigitalrights.org/index2018/companies/kakao/
- Google get the highest score in our ranking (but it's still only 63% so i wouldn't call it "good") they make most of their money from tracking what people do online and offline and then selling targeted advertising -- scholars call this "surveillance capitalism" or "data capitalism" and they have good data security overall. https://rankingdigitalrights.org/index2018/companies/google/
- In Russia, Google is the very first candidate for people who switch from Russian companies to something "more reliable". The vast majority of HRDs and independent journallists whom I have worked with are somehow connected to Google: mail, docs, calendar, etc.
- Whether Google will eventually return to China remains unclear, but Google is clearly working on it
- RDR have some of their materials available in Arabic, Chinese, French, Russian and Spanish. https://rankingdigitalrights.org/index2018/download/
- Malaysian gov is passing a bill to abolish mandatory death penalty in the country. All the inmate in death row will be pardoned with life imprisonment.
- Taiwan has upcoming local level elections (mayors) in November, so now candidates are campaigning. In the Taipei city they also have 2 city representative from the local civic tech community (g0v) running for election. And thy've just celebrated the national day (Oct 10), their president mentioned "fake news" multiple times, and said that the government will have some measures against it. OCF will support community initiatives focusing on combatting fake news/misinformation. The biggest misinformation initiative in the g0v civic tech community is "Cofacts" https://cofacts.g0v.tw/en , it's a chatbot, designed to reply balancing opinions when forwarded a message.
- The Iranian Gov is expanding its capacity of internet censorship to the outside of Iran. In some cases if the website is hosted in Iran and they blocked it, more than likely that website is going to be blocked for the entire world. The method that they use for this kind of blocking is so simple. They inject an Iframe to the website (Which according to the Iranian cyber crime law is illegal) However, if the website is secure with SSL, they cannot block them. Recommending that Iranian websites use SSL certificate such as let's encrypt. Here is a link to this research https://www.iranhumanrights.org/2018/08/one-year-under-irans-telecommunications-minister-mohammad-javad-azari-jahromi/ this is a new move.
- In Bangladesh, government is implementing internet controlling system before next election https://www.thedailystar.net/frontpage/news/social-media-contents-strict-watch-polls-1638862
- In the last 18 months, Vietnam has seen dozens of activists jailed for simple things like posting on facebook. The govt has sentenced activists to 15-20 years in jail for organizing or being part of networks/movements working for change. It's had a chilling effect on the entire space. The Vietnamese govt just passed a law making it illegal to post on FB "offensive" content. They are also dealing with govt-sponsored trolls on FB, a lot of fake news. The Vietnamese community is facing real fatigue because they are constantly advocating for so many people in jail.
- In Germany, during the reunification holiday, a spokesman for the AfD (new Nazi party) pointed to anti-fascist protestors and said that when the AfD gets in power, they'll use all the surveillance being gathered now to come get people.
- In Latin America there is a lot of information disorders /fake news/ misinformation and we see that many different motivations can lead certain groups to do this kind of activities, we want to build a research about that but we have seen from criptocurrency mining to trolling.
- In Venezuela they just had the first formal case of a jailed politician killed by state forces while in custody. This sets a precedent for activists and politicians. This suggest the risk level are even higher than before
- This spring, a bunch of civil society organizations from countries experiencing acute problems with the Facebook platform (fake news, hate speech, censored post) started to write a letter to Mark Zuckberberg, on the many problems with Facebook. They continue working towards a collective solution. Today, the coalition is researching the response time that Facebook has to take down hate speech or content that violates community standards. They have a growing list of countries contributing to this research. If you would like to get involved, email email@example.com
- http://fatabyyano.net is a nice initiative that is countering fake news in Arabic on Facebook. A team of volunteers basically takes every viral fake news and debunks it.
- In Mexico, they are still dealing with the problem of having thousands of disappearances and feminicides in a lot of regions
- OCF's hosted a "Combatting misinformation workshop" in June, and it went very well. Can advise others on how to do this.
- Tunisia, they have been through a lot of political instability episodes since the revolution of 2011 and are suffering from the excessive presence of hate speech on social media and fake news.
- One participant pointed that she has a v narrow focus when it comes to cell phone security right now, and she primarily works on studying the latest generations of imsi catchers which work on 4g/LTE. There is not much information available about them (since our main source of info is leaked documents, FOIAs, etc ...). She's also working on building an LTE imsi catcher catcher, so that we can try to detect this newer generation of surveillance equipment. The main thing She's noticed is that more and more law enforcement agencies are buying these devices, and getting away with refusing to respond to requests for information about them (e.g. refusing court orders to give up info about them). Currently they're trying to implement it in Facebook messenger (previously it only supported LINE)
- E2E encryption (or just setting one's phone to only use LTE tbh) makes you much less vulnerable if you're worried about communication interception. but there's little you can do to avoid location tracking if an imsi catcher is being operated nearby.
- For next IFF, participant would love to learn who to build their own infrastructures and get less dependent on google, facebook and others (they noticed that Github, used by a lot of us, was bought by Microsoft and they have to find a way to protect the things they use to be taken over by those companies). They'd like too to discuss handling harassment on federated/otherwise independent platforms.
- They noticed that there has been of craze of Holistic Security over the years which several people across the globe have been implementing and incorporating in their trainings. It would be nice to have feedback on lessons learnt on this & some shortcomings that they might have noticed.
- Also there are several methodologies which are being used or tested or experimented by community members doing security audits, it would be nice to have a conversation around that too. In terms of tools being showcased, I feel there should be a way next IFF where participants are practically taken through different apps/tools and they have a full appreciation of the tool ie have a tool/app show room.
- Other thing that would be nice to see in the next IFF is advices on how to communicate to the general public the importance of the internet governance, digital privacy, equal access, etc
- there should be something for upcoming tech and the risk factors (AI, etc)
- More sessions on building our own infrastructures and get less dependent on google, facebook or others. For example, Microsoft just bought GitHub, what does this mean for us?
- We've gotten to the point where people recognize that psychosocial care is a vital part of security training - are there best practices about cultural sensitivity, and ideally "nothing about us without us" (to borrow from the disability activism community) as a pillar of this work? (mainly thinking of how funders approach these projects - no more putting people on planes to lecture for a day or two)
- Talking about the "Training and Best Practices" theme, it would be great to have some trainer gatherings at different experience levels (and one large combined one) to actually have that discussion in person!
- With a general view, our participants would love to see, talk and discuss during the next IFF:
Emerging threats related to AI Building infastructures that respect femenist principles and provide "safer" experiences How to better do outreach/advocacy Alternatives to "private" corporate services we all depend on. How to better address different skillset in the community.
- The IFF is developing a Therapist Primer for the community members to give to their therapists so they can understand the working enviroment and or the cultural factors of this space: https://internetfreedomfestival.org/wiki/index.php/Therapist_Primer
- What is the point of revolution if we can't dance
- New report on DDOS attacks on Vietnamese civil society. https://equalit.ie/ddos-attacks-vietnamese-civil-society/
- Therapy is a process. It is not a quick shot. You have to work hard to improve yourself. Mostly therapy is a way to restructure how you think and how you interact with your environment.
- There is a misconception because associate therapy with being mentally ill, but you don't have to be mentally ill to go to therapy. Many of your thoughts can cause damage, and you may not be aware until its too late. However, therapy is also like going to the gym - its a long term process. You can't expect to repair the damage done for years in just a couple of hours. The more you wait to ask for you help, the more you will need to work on your problems, because the main problem you had may have affected other areas.
- In places like sub-saharan Africa, going to therapy is associated with rich people, or folks that are not mature enough mentally.
- PTSD (Post traumatic stress disorder) is when your body is experiencing a fear of being damaged when there is no real danger. Take for example, a solider that comes from war. They can relive their traumatic event(s) in dreams, or feel bad, or develop unhealthy beliefs.
- You can try to encourage people to go to therapy by explaining that intelligence is has flaws. Just like I wouldn't do my own plumbing, and hire a plumber...Its okay to hire someone who specializes in understanding how to correct assumptions or unhealthy thoughts we may have. This does not make you weak or unhealthy. This makes you human.
- Many people in the space feel that many times their efforts are worthless. Every other week there is yet another threat to our digital freedom that we must think about, and that is a continuous pattern. The feeling of never doing enough combined with the fact that things are not getting better. Also, for many people in the community that are "social interaction" nodes, sometimes the work can be very hard. For example, in trainings or risk assessments activities, some activists can turn emotional. For example, individuals may break their silence about certain experiences and this could be hard to manage for some facilitators. Usually it ends being a good place to do catharsis and the people feel better after this kind of processes. However, those that are placed as facilitators don't always feel 100% comfortable with this role because they don't know if they are doing the right thing. These folks really need trainings, books, courses etc, so they understand how to deal with these situations in a better way.
- Some folks in the space mention that its super difficult to identify a model of assistance that works. Services are too pricey for activists to priortize therapy, and there is a lack of resources for this. This is horrible, because small local groups are more at risk.
- How to remain sane in digital rights? Remember that you only can do your best. If it's not enough, it's ok. You can ask for help! The important thing is to "do your best" in an optimal level. If you are burnt out, this will effect your work or impact. So its okay to tap out from time to time, and do only the amount you can handle. If you feel more and more sad over the time, a therapist sure can guide your thoughts. Maybe you need to reconnect with yourself on a personal level; maybe you are passing through a bad time, and that affects the perception of your job. Maybe if you are always feeling that you don't do enough, you are carrying with too much weight. Also, it may help to lower our expectations. In other words, understand that maybe you can't personally and individually can't change the global society structures, but I can be really helpful to the people that I am helping.
- There are different types of therapy and you should do research before you pick a therapists. Some therapies focus on feelings and understanding how that determines our actions; Some focus on learning new skills (more practical) that change our bad behaviors. So what type of therapist you need is going to depend on your situation. It’s not going to be the same if we are dealing with emotional situations or dealing with a problem like fear of flight.
- On-line sessions are as sucessfull as face-to-face sessions.
- However, therapists working with activists in on-line sessions have to make sure the data is protected. We may have to create a document for therapists that has privacy.security guidelines and characteristics of the space.
- Resources: association of therapist 24/7 online that adapt to your agenda https://www.talkspace.com/
- Questions about whether there is a way to do a psychology audit/assesment when working with groups.
- How to stay outraged without losing your mind https://medium.com/the-coffeelicious/how-to-stayoutraged-without-losing-your-mind-fc0c41aa68f3
- Burnout and emotional toll on people that are the "listening" ear in activists groups. They need more training from therapists to help create better boundaries. This includes trainers. There is a need for training of folks who are handling alot of the emotional labor by therapists who can help create processes and systems. For example, in some organizations they are dealing with deaths which is very traumatic.
- In addition, people with mental health issues rarely seek counseling/support - until probably it's too late. Majority of these include women & youth
- Psychologist without Borders may be a good starting place.
- it's really hard to find a therapist who understands online threats
- One idea is to write up a "fact sheet" for people just starting with therapists that explain the community and context to them. So it serves a premier.
- SAFIGI (Safety First for Girls) we did a comprehensive research on safety - with the understanding that safety is internal and external. Internal safety being peace of mind, heart, and emotions. External safety being protection of the body,other person and environment). Of 327 people surveyed in 6 countries, we found only 12% girls had learned about mental health in high school and below. This affects every aspect of their life. https://www.dropbox.com/s/a8u8ladyjcncfrl/Data%20Analysis%20Safety%20Report.pdf?dl=0
- We can't give people the impression that they can self-care really hard at systemic oppression. More research needed in this area.
- Someone looking for organization that can help doing self-care for human rights activists/defenders for SEA region. Also noting that mental health awareness is extremely low here and, people often asking us to STOP WORKING in activist spaces if they feel stressed.
- Participants noted that at the point where people most need therapy, they're either pushed out of organizations after the organization fosters an abusive environment, or have burned out because activism is stressful
- Also noted that the look how cool I am, everything is broken and the NSA is in my living room right now!" training method can make people more scared than they were before
- One in every four Kenyans may suffer from mental illness at one point in their lives. That is 11.5 million people (out of the 48 million people). US Latinas has the highest suicide rate than in any group in the US.
- Some of the communities of color in the US communities seem to a) bring in cultural spirituality So for example, some latino groups they may bring in elements of caribbean spirituality. b) they understand and remind each other they have a strong connection with their ancestors c) they opently talk about the mental stress d) they are focused on having exercises that are meant to strenghthen your moral and understand you are part of a bigger family.
- In some countries, there is a huge lack of therapists so they go to places like church.
- the disability subreddits are supportive. The moderators remove any "yoga will cure you!" posts and there are a lot of people who post about being newly diagnosed and the mourning process afterwards
- Some self-care activities: Reading fiction, volunteering, spend time with family that is quality, allow yourself to take breaks, exercise, find life outside of your work, go to nature, massage, meditation, do art.
- The Intersection of Things is a feminist podcast about the internet and everything it touches. Every other week we take a topic –like health, or pride, or consent–, contextualize with the internet and tech, and try to approach it from an intersectional feminist perspective.
- The wish or goal to improve a space always has to start with empathy. So a simple first thing to kickstart the improvement of spaces is to listen to communities we want to make these spaces better for –be them our own communities, or communities we are not a part of. Consuming media (podcasts, videos, books, blogs, etc) produced by and for these communities is a fantastic first step.
- Intersectional Feminist Perspective: We borrow the term “intersectionality” from scholar Kimberlé Crenshaw, who initially coined the term to describe how an individual's experience is not only affected by factors like their race, socioeconomic class, abilty, gender, orientation, etc. But rather it is how all of these elements mix (or "intersect") what informs how someone navigates and experiences the world –and how the world treats THEM. So we take this lens of intersectionality and want to look at the internet through it by asking questions like: how does privacy affect people like me, who are not only queer but queer, and women, and of colour, etc etc etc
- A key part for any person or organization doing outreach is to know what –ideally– outreach should be. For example, outreach should be a thing that is not just added at the end of a project. Outreach is the act of including people or organizations in the building of the project itself. Outreach is usually done at the end, as a dissemination piece. A key thing that would differentiate tokenism from collaboration is at what point in the project do you bring in people from different perspectives, and how much we listen to these perspectives. It is not enough to have people in the room just to have us all there.
- The beauty of communities that reflect the rich spectrum of humanity is that one is, or should be, constantly aware of how different each of us might experience the world. For example, something that might be very "progressive" for me, might be something that is in conflict with someone's traditions. So the challenge is, how do we see each other, how do we share space in a way that celebrates and respects each other. So, one of the biggest challenges is listening to one another –and it is hard! But it is very rewarding, and you leave these spaces a different person (in a good way).
- Related to how to be a good allie: Listening is very important. We are all going to make a mistake at some point —how could we not, the world is messy. What I find fascinating is that a lot of the impact of when things go wrong comes from how we react to our mistakes. Often, there is an element of defensiveness (we "lose face"). But I think practicing slowing down, apologizing, and owning up to the the thing that went wrong is important. Also important: if we ever unintentionally cross the line (for example, an off handed comment in the workplace), we must apologize but not let the other person do the emotional work of making us feel "ok".
- Many folks commenting on the rate of burnout people are experiencing. In addition, marginalized groups are affected psychologically when they are in an environment that doesn't support them.
- There is a test people do in some trainings to see how stressed they are.
- Participants noted that disabilities don't really get talked about alot.
- There is always alot of emotional labor being done by people of color on team that isn't paid. they become the diversity recruits.
- Code Switch is a great podcast about race and the world today. - Note to Self is "the tech podcast about being human" is a fantastic listen too. - Third Wave Urbanism and The Black Urbanist podcast is another good one. I love when someone takes an area (like urbanism) and looks at it through a different lens. These pods do this. - Books: "the poverty of privacy rights" by Khiara M. Bridges. Such a fascinating read (example: how much surveillance do you think pregnant women in social assistance are subject to? A classic of code switching and double labour is Frantz Fanon's Black Skin White Masks. Algorithms of Oppression by Zeynep Tufekci, and Weapons of Math Destruction by Cathy O'Neil are both fantastic.
In this piece by UNHCR's innovation team for refugees, they analyzed all their public posts, and found that there is a huge imbalance in quoting men versus quoting women. And when they analyzed who wrote the article, they found that shockingly out of all the men who wrote the posts, only one woman was quoted. In any article they wrote, ever. http://www.unhcr.org/innovation/gender-imbalance-innovation/
- For IFF, people want to see more sessions that integrate with the Academia as there is a feeling that there is a widening gap between academic researchers done in terms of risk threats etc around HRDs and activists and professional trainers. Academics need to better appreciate the work being done by professionals in the digital physical security spaces.
- More sessions that focus on intersectional feminism, and past "white feminism" and white/cisgender/straight fragility to get things done without tokenism or exclusion.
- More sessions geared towards new people and smaller sessions for skill building for folks that have some basis.
- Remembering how far the community has come in regards to collaboration..when it was super competitive before.
- Have to have an honest conversation about collaboration. People brought up things like LevelUp and Safetag, that galvanized a responsible community of trainers, brought a lot of new faces in, and built a largely evergreen curricula which people still use today, but hard to sell because of the community-owned model. Also, hard to track numbers because a) website didn't track users so no stats on usage, and b) a community who for lots of really solid reasons doesn't report back about how many trainings and where they took place. he orgs who put out this stuff are constantly strained to both maintain it, but also to keep moving forward with new programs, as they don't get to "own" these things they created. Again, this is a long term responsible thing to do, and benefits the community much more effectively, but it means a lot of hard work above and beyond daily fixing things. Another problem is training...it takes an organization time to learn how to do it properly and create proper structures. Collaboration means being motivated by different things, and valuing other things more highly
- In Malyasia, two women were caned for having "lesbian sex." The community is there trying to mobilize to get international support. Updates to come soon. https://www.theguardian.com/world/2018/sep/03/women-caned-in-malaysia-for-attempting-to-have-lesbian-sex
- At the same time, gay sex was just decriminalized in india
- In Bangladesh, to increase female participation, what was effective was 1:1 participant for male and female. after few training session the participants spread the word about the importance. now a days most of the female participants willingly attend at training or meetups.
- GAMES FOR TRAINERS:
- Yoshi Kohno at the Univ. of Washington has developed some games https://homes.cs.washington.edu/~yoshi/
- From Kseniia @ CitizenLab, a great game she developed:
The following is from someone from your area of the world. This person is willing to talk to you via email, if you wish: I'm not doing any 'games' but what I often do is drawings. That worked very well on trainings I did for feminist collectives.
We do 2 sets of drawings. 1 drawing in the beginning of the training: I ask them to draw how they send a message to their contact, and if there's something weird going on, please represent it on the drawing as well.
Usually I give 5-10 minutes for that, after first round of "oh my, I am a don't know how to draw" and so on and a round of encouragements Then when everyone is done I collect drawings, and quickly look at them. Usually there are "trends" in the group: there are some common ways in which people tend to represent how they see networking and transfer of data, and also some common ways in depicting the "adversary"/"adversaries" (e.g. the danger being on the server side, or the danger being between client and server, or in the client, or in the "physical world" (physical threat) and so on). So I give myself some 3 minutes to group these drawings according to these representations, and give short comments on these groups, encouraging every time the person for their effort and good intuitions (because very often they do have very good intuitive understanding of both transfer protocols / networking and threats), but also explaining if some things are represented in a technically wrong way.
Then I ask people if I understood them right and ask them to comment on their drawings if they wish. People like to defend their visions, and often the comments are interesting to hear - as a trainer I understand where some of the misunderstandings hide (underestimation or overestimation of risk for example...). But it's also a good point to start the discussion.
After this first debrief is done, I usually use a whiteboard / blackboard to list the different kinds of "adversaries" or failures people have drawn. Then I comment on each of them and ask people if they know how to defend from that. Again, in a feminist perspective I was trying to always let people suggest their own ideas of self-defense, and let others correct / criticize their fellows. Only in case of a very wrong intuition that can be dangerous, would I interrupt that process. However, after listening to all these comments, I would wrap up and write good tips down, and give some more advice as well as - for every kind of threat - some sources to go look into (online guides, videos...) and some tools if they have not been mentioned.
After that, in the end of the training, I would ask people to draw me a second round of drawings - how would you like the Internet to be? Draw me a perfect communication. This second round of drawings is very important for several reasons: first, it helps to cope with the stress of the training (because a lot of these women had hard time talking about threats they had experienced, and in general, security trainings give you a lot of stress to cope with).
Second, it breaks the dystopian technological visions that somehow dominate our space, and sets the imagination free to draw collective visions for better tech but also for better communities (kind of speculative fiction approach). In the end, I collect drawings and look if people dream of similar things. Surprisingly very often we see that somehow people project very similar ideas (for example in case of Russian feminist workshops, there were a lot of visions that looked like p2p distributed networks without any centralized servers or anything that would look like central points of failure). I would ask people to briefly comment on what they wanted to say, and in case when people's "dream technology" had a real correlate, I would give them tips to go check this or that tool or project (for example, Mastodon for or Briar...).
- Here are two examples of games and activities for digisec training (in Spanish)
1) Amiga cifrada: how to organize an exchange of GPG keys (by @ciberseguras) https://ciberseguras.org/como-organizar-un-intercambio-de/ … 2) A las calles sin miedo: manuals and a board game https://infoactivismo.org/a-las-calles-sin-miedo-herramienta-ludica-para-la/ 3) http://www.sulabatsu.com/blog/sula-batsu/mediacion-descarga-libre-del-juego-huells-mi-rastro-en-internet/
- How to create strong passwords with dice 🎲🎲 (in English) https://www.eff.org/dice
- Hacking Games: https://training.ashleyblewer.com/presentations/computers#20
- My Shadow has great games. https://myshadow.org/
- The Police Department of Bangladesh Government opens a tender. The tender notice is to procure IMSI mobile monitoring/tracking systems, including its ultra-portable backpack version. “IMSI” stands for “international mobile subscriber identity” and the devices in question are basically eavesdropping gadgets used for intercepting mobile phone and its data traffic, as well as tracking location data of mobile users. If I’m not wrong, they essentially create a "fake" mobile tower acting between the target mobile phone and the service provider's real towers to intercept communication related data. http://bangla.cptu.gov.bd/advertisement-goods/details-60402.html
- The SecureDrop project is going to have 0.9.0 release on September 5th. If anyone wants to help in translation, they can help by joining the localization-lab-chat channel.
- Woman group in Zimbabwe is looking to start their own radio channel. If you have resources or good educational materials, let them know
- Karisma running an online campaign against online violence against women, specifically against "machitrolls" or "macho trolls" https://karisma.org.co/unidas-contra-los-machitrolles-acompananos/
- Someone in Lisbon is starting a privacy meetup.
* Notes from talk from Nathaly on Cyber Feminist Radio and networks:
- Map of cyber feminist structures in Latin America: https://enredadas.org/2018/08/08/mapeo-de-iniciativas-ciberfeministas-latinoamericanas/
- When conducting an interview, if the person you are interviewing has to be extra careful about their privacy and/or security, someone from the radio crew will talk as them, recreating their voice. (ie, so at no time do they use the person's voice)
- Always use safe channels online and offline to talk to your interviewers
- They do have some channels like a cyberfeminist mail list and one of the rules is to have a secure mail like rise up, and we use PGP all the time to share information.
Tools that can be used to create your own radio:
Software: Audio editing: Audacity or arduor
Educational Manuals in Spanish: Curso virtual: feminicidio y periodismo https://radioslibres.net/curso-virtual-feminicidio-y-periodismo/
Despatriarcalizar la Comunicación: periodismo inclusivo https://radioslibres.net/despatriarcalizar-comunicacion-periodismo-inclusiv/
Escuela ciberfeminista https://escuelafeminista.red/
Recommended Feminist Radio Channels
Encuentro de ciberfeminismo Ecuador https://soundcloud.com/tristanaproducciones/encuentro-ciberfeminismo
El desarmador https://eldesarmador.org/
Cyborg feminista radio https://cyborgfeminista.tedic.org/tag/radio/
Wambra radio: http://ciberfeminismo.elchuro.org/cobertura/
tropica media http://tropicamedia.org/
La Radio q genero http://www.laqradiogenero.com/
- Someone is trying to apply SAFETAG for LGBTQ communities in South Asia.
- Totem project is an online platform helping journalists and activists use digital security & privacy tools and tactics more effectively in their work by Greenhost and FreePressUnlimited. https://totem-project.org/
- Malaysian Parliament passes bill to repeal Anti-Fake News Act last week
- IFF Fellowship deadline has been extended to August 27.
- In Zimbabwe, there was a constitutional court hearing yesterday for the just ended elections where the opposition party is challenging the results that were announced. Judgement will be announced tomorrow at 1400hrs UTC+2
- Someone is working on a due process (appeals) campaign targeting social media platforms (primarily Facebook) and would love to chat off-list with anyone interested or working on similar things.
- The Tor meeting will be happening in Mexico end of September.
- SAFETAG is an assessment framework to work with organizations and help them build informed decisions about the risks they face. It provides a wide variety of different activities: some very research focused, like understanding the context the organization is working within -- each organization has a totally different set of risks depending on their context; Some are very technical, such as scanning office networks to understand what systems and traffic are on the network; and many are "interpersonal" -- simply talking to staff members, interviewing management, and running exercises to help the organization build a cohesive and shared understanding of their risks and which of them they accept, and which they want to prioritize to mitigate.
- In the best case, you should have a few people helping out -- one person who has a more digisec training background, and another who's happier sitting in the back room hacking around on things. Often funding and scheduling mean that one person has to do all three, so careful planning and preparation are important -- you do NOT want to be researching how to nmap an organization without crashing their computers in the middle of an assessment. In addition, there is value and more impact if the audit is done by more people with different skills other than a single person.
- SAFETAG scoping questions are really good to help people understand their risks.
- Some folks have it customized for working with LGTBQ in West Africa.
- SAFETAG wants to be community owned, but depends on people taking ownership/participating.
- Even though someone might be from a different parts of the world, so many common problems come up that are similar. So you may think your approach only applies to some super specific situation, but almost guaranteed someone else is facing the same problem
- Best tips, for network scanning - (a) be careful and (b) keep it balanced. A lot of the tools, even "simple" nmap, have a lot of super dangerous options, and you really never know if a computer is going to be vulnerable to a 10-year-old bug. Start super lightweight, and super low-impact, even flooding a system that may be a few years out of date can cause it to fail, and then you're suddenly halfway through an audit and have to stop to fix something you broke. Look at software versions, and peek via nmap on weird ports being open before doing anything more intense
- The other big tip is to not get trapped in any one approach. People with hacking/pentesting backgrounds tend to ignore the interactive parts, and people with training backgrounds tend to shy away from the technical pieces. It takes both, plus a solid base of research, to really understand an organization. Also, and super important, you can also spend a LOT of time digging in to some really obscure tech things, and lose the opportunity to ensure you have a holistic view of the org.
- The SAFETAG translation in Spanish is out of date. Ping them if you can help identify chunks to prioritize for funding.
- Re: network scanning, a super fun thing to do (but requires a system with a decent chunk of RAM and a few hours of access to a lot of bandwidth) is to download some vm images. vulnhub is a good repository, and MS has some testing images for old versions of windows (see the safetag reference file here for links: https://github.com/SAFETAG/SAFETAG/blob/master/en/references/network_env.adids.md). Use virtualbox to run them locally and have them all on your local network, and then you can use nmap and such locally (do this at home, you can even have it set up to truly be a "fake" network on your computer only -- do NOT do it on a shared or work network!!) This is a great way to get started exploring and using different scanning options
- New org in latin america in the works ( Con-nexo). They will be developing projects on capacity building on security, research, security support to organizations, tool development and community generation around communities at risk and security in general.
- Lots of love happening for SAFETAG fellowship
- Zimbabwe still doesnt' have a president even after voting
- Found out Digital Society of Zimbabwe was born in the IFF :)
- Folks working on security investigation framework in tails. Prototype coming soon! Github here: https://gitlab.com/scif/whiskers
- Blog posts coming out taimed at helping new auditors get in the SAFETAG mindset; as it can be very overwhelming to try and tackle the guide as it exists now
- Someone who did research on digital censorship in post-soviet states and how each country's approach differs (about a third have very free internet and about a third have internet censorship in place), is currently talking to a publisher about turning it into a book on the history of censorship in the region.
- Someone is cultivating digital security trainers to assist HRDs in Southeast Asia as many trainers are still flown in.
- Past DIF Folks asking that a community is created so they can further connect.
- Various games made by people in the community such as BLOOG: how formal and informal groups interact in crisis. we called it ENCAPE http://blog.bl00cyb.org/2017/08/interfaces-between-formal-and-informal-crisis-response/, Malicious Content, the infosec card game like Cards against humanit, and the depressing, Cards against Humanitarians" -- now JadedAid -- http://jadedaid.com/).
- First alpha version Tor Browser coming out soon!
- Maybe a hackathon with artist, process oriented.