Online Safety and Security Toolkit

Introduction

Your security is important to us. The Internet can be an empowering tool, but it involves risks. We believe that every woman can use her voice to create a free and equitable world.  However, speaking about politically charged issues or asking tough questions can put our community members at risk for intimidation, surveillance, or physical violence.

You should know that World Pulse is not equipped to provide legal protection to online community members facing security threats online or offline. However, we are dedicated to providing our community with tools and knowledge to take steps to protect themselves without compromising their bold voices. We are including a list of organizations that may offer legal assistance, additional resources and/or information. In the interest of public safety, you are free to print, post, or distribute copies of the security resources as you see fit; we only ask that credit is given to World Pulse.

We also encourage you to share new information, strategies, and tips in your World Pulse journals to promote safety among the World Pulse community as well as offline in your local community. If you have any questions, please don’t hesitate to contact us. 

 

Sections

1.      Citizen Journalist Safety Worldwide

      1.1           Risks

      1.2           Stakeholders

      1.3           Vulnerability

      1.4           Threats

      1.5           Visibility

      1.6           Anonymity

      1.7           Support Networks

      1.8           Tips

 

2.      Online Security

      2.1.          Passwords

      2.2.          Malware Protection and Prevention

      2.3.          Backing Up and Deleting Files

      2.4.          Using Public or Shared Computers

      2.5.          Advanced Tips

 

3.      Additional Security Manuals

 

1.  Citizen Journalist Safety Worldwide

While opportunities to relay breaking news through social media continue to expand, many countries have increased censorship and surveillance by monitoring Internet cafes with hidden cameras, blocking websites and jailing bloggers. Each country has its own laws that define how much activity authorities can access and monitor. For example, in the United States we have the Communications Assistance for Law Enforcement Act. Since laws regarding the Internet can shift dramatically in response to rapid developments in software and technology, as well as changes in the political climate, it is critical to stay informed.

An important topic that is rarely touched upon in the news or in journalism trainings is the threat or reality of sexual assault, particularly for women journalists. In a world where sexual assault is increasingly used as a tool of war and oppression, journalists unfortunately face many of the same issues. To read about this issue, go to the Women's E-news article, Matloff Breaks Silence on Reporters' Sex-Assault.

Your emotional health as a journalist is also important. Interviewing victims of traumatic events or covering war crimes and other abuses can take a toll on you as a journalist. We suggest that you check out the Dart Center for Journalism and Trauma, particularly their article on Posttraumatic Stress Disorder.

Explore some of the most recent threats to journalists and press freedom in your country and around the world. Excellent sources are the organizations Reporters Without Borders, the Committee to Protect Journalists, the Index on Censorship and the International Federation of Journalists. On these websites you can find out about cases where journalists have been threatened or jailed as well as read reports tailored to each country.    

 

1.1  Risks

Citizen journalists offer new perspectives and coverage of events that may challenge the interests of powerful people, organizations, corporations and governments, putting them and those close to them at risk of danger. FrontLine Defenders, an organization that provides support and resources for human rights defenders, has devised a helpful way to think of risk:

  • What you do can lead to threats.
  • How, when and where you work raises issues about your vulnerabilities and capacities.

Threats, however, do not just drop out of the sky. They are carried out by individuals or a group of individuals who may be identifiable or anonymous. These individuals are called stakeholders.

 

1.2  Stakeholders

Stakeholders are individuals, groups or organizations that are affected by or have an interest in a particular issue. Before you raise questions and reveal details that may challenge social norms or people in power, there are some questions to consider.

  • Who are the stakeholders in your story?
  • How does your story impact their interests?

If your story impacts them negatively,

  • What is their capacity to respond?
  • What threat tactics might they utilize?

A stakeholder may react out of fear if they feel that their power or authority is in jeopardy or if they disagrees with your coverage. This is not necessarily a reason to change your coverage. Their fear may come from a lack of understanding or it may mean that power is being shifted and you are making a difference. With a careful assessment of your vulnerabilities, you will be better prepared to deal with threats and able to reduce the possibility of being harmed.

 

1.3  Vulnerability

From the definition of risk above, we understand that how, when and where you work can increase your susceptibility to danger. Analyze your vulnerability by thinking about your travel habits, with whom you associate with, where you live, how you access the Internet and your methods for communicating, navigating, publishing and organizing online.

  • What are the strengths of your routines?
  • What are your weaknesses?

Perpetrators of violence typically devise their tactics for attack based on their own careful analysis of vulnerabilities. To understand your weaknesses and create responsive strategies means that you are being proactive and gaining control of your safety and your life. You are then less likely to have to react to a threat because you have already reduced the probability that it will occur in the first place.

 

1.4  Threats

Threats can be annoying or can disrupt your life and the lives of your family and friends. They may be planned or spontaneous and come in many forms such as slander, harassment, misinformation, surveillance, blackmail and disappearing. Threats and the fear that they generate affect us emotionally, physically and psychologically. Over time they can take a toll on our bodies and our families, causing irritability in our relationships and distrust among our closest friends and allies. The following are some suggestions should you experience a threat:

  1. Acknowledge all threats instead of denying or ignoring them.
  2. Develop strategies that minimize your risk, keep you safe and promote your wellbeing.
  3. Monitor the incidents. Notice any trends that may identify the perpetrator or reveal information about their tactics.
  4. Tell others about the incidents to prevent isolation and suffering in silence.

Throughout this process, be sure to do an emotional check in. Ask yourself, how am I being affected? How are my relationships being impacted? Be honest with yourself and those closest to you and most importantly, make your security a priority.

The following is an overview of steps you can take to ensure you remain out of harm's way. When responding to threats, the strongest strategies are often those that are the most flexible and adaptable to the situation. What may be useful at one time may not be helpful later on. Since one's risk varies according to location, involvement and journalistic content, it is especially important to analyze your own situation and customize your safety plan according to your experiences and resources.

 

1.5 Visibility

There is no single, fool-proof way to protect you. Some bloggers work tirelessly to boost their Internet presence and forge strong connections with high profile organizations and major media outlets. They feel that their visibility is essential to deterring threats and that the more attention they can draw to themselves and their work the less likely they are to be intimidated, attacked, or worse, even disappear.

 

1.6  Anonymity

For those who are under heavy surveillance or are experiencing threats on their life, visibility is not an option. They may use pseudonyms when they post to their blog or when they sign into a computer at an Internet cafe. They may work from unmarked offices or reach out to individuals or organizations to have their articles published anonymously. There are pros and cons to each strategy, however. If you choose this route, take precautions and let people know where you are in case something should happen.

  • On World Pulse, remember that you don’t have to use your real name as your username. Your username can be a pseudonym. If you would like to change your username, contact the World Pulse online community management team.

 

1.7  Support Networks

The backbone of any security plan is a strong support network that may include family, friends, coworkers, organizations and other allies. Your network can provide emotional support when you are in need and help increase the visibility of your blog. Having a large network exponentially increases your resources. Each friend and colleague has their own wealth of experiences to draw from and can reach out to their networks for ideas and assistance. In the case of an emergency, they can also quickly raise awareness and mobilize supporters.

 

1.8  Tips
  • Post from public computers that are used by a large number of people, such as at Internet cafes or a library, to reduce the possibility that you will be identified. Be aware that Internet cafes and libraries may keep a log of users or have hidden video cameras.
  •  Always be aware of your surroundings, including what is happening and who is present.
  • When meeting a source for an interview or information for a story, tell someone where you are going, who you are meeting, the time of the meeting and what time you expect to return.
  • Keep track of your documents and research. Store copies in unsuspecting places or with members of your support network. Take extra precautions when crossing borders with sensitive information as hard copies and your computer can easily be confiscated.

 

2.  Online Security

 

2.1  Passwords

Passwords are an everyday part of our online lives. They are the gate-keepers to our online accounts. A strong password will include a complex variety of characters: numbers, symbols, and capitalized and non-capitalized letters. They should be easy to remember, but seemingly random so they are difficult to crack. Since personal information such as birthdays, addresses, names or ID numbers are the most obvious to guess, and can be used for identity theft if discovered.

  • Tips for Creating a Strong Password:
    • Abbreviate a familiar phrase: To be or not to be, that is the question = 2BonTb,Tist?
    • Replace letters with numbers, such as 4 for A, 0 for o, 3 for E, etc.
    • Make your passphrases twelve or more characters long; this makes it harder to crack using various software programs.
  • Protecting your Passwords:
    •  Do not share or store you passwords.
    • Don’t use the same password for multiple accounts.
    • Change your passwords every 3 months or more often if you use internet cafe systems or computers other than your own.
    • Some accounts are compromised via lost password recovery systems. Be sure your security questions and answers for your accounts are not simple and easy to guess.
  • Use two-step verification (sometimes called two-factor verification) when possible 
    • This service will send you a text message with a code that you will need to enter when you are logging into an account from a computer you haven’t used before. It is one of the best things you can do to make sure your account doesn’t get hacked, although it does require the use of a cell phone.
    • Here are links to set up two-step verification on commonly used websites: Google | Facebook | Yahoo | Twitter | Paypal

 

2.2  Malware Protection and Prevention

Malware is short for malicious software, such as viruses and spyware that access your computer from the Web without your informed consent. Malware can be used to intercept sensitive information, monitor your internet activity, or attack your computer by deleting or corrupting files. Here are some strategies, tools, and resources you can use to protect yourself from Malware:

  • Web Browsers: We recommend you use Mozilla Firefox, Google Chrome, or Apple Safari to access the internet. These can be downloaded for free, are more secure than Internet Explorer, and are updated frequently.
  • Facebook: To ensure that your Facebook sessions are secure, you need to go to your Account Settings, select “Security” and then enable “Secure Browsing”. This will ensure that you are operating from an “https” connection and not the more hackable “http” connection.
  • Anti-Virus Software: Anti-virus programs offer a first line of defense against potential problems. Update your anti-virus programs regularly to protect yourself from new malware threats. Some recommended programs are AVG Anti-Virus Free Edition, and Avast! Free Anti-Virus Download.
  • Identifying Trustworthy Websites: Sometimes websites are attached and compromised by Malware, but your internet browser has encryption tools available that you can turn on or off. The two main types are SSL and TLS. They use complex algorithms to verify a website’s security certificates. Under your browser’s Preferences, you can find your browser’s encryption options. Select both if possible. If you have to choose, we recommend TLS – it is newer and has stronger algorithms. Check your email and instant messaging software to see if they have these options, or others.
    • When there is a lapse in security, you may receive a message, for example that the security certificate of the website you are attempting to visit has expired. This may mean it simply hasn’t been updated, or it is a legitimate warning of an attack.
    • Tip: Spammers sometimes try to hide the real link location by using hyperlinks. To check the real website address of a link, hover your cursor over the link (without clicking it), and in the bottom left corner of the browser window, the real address will appear.
  • As a general rule, never open e-mails, download attachments or visit links that are sent to you from people you do not know and trust.
    • When downloading files online it is helpful to be able to identify the type. The file type is usually three letters after the period in a document name. The file type tells your computer what program to run in order to open the document. Here are a few of the most common types which may be familiar:
      • .pdf: Portable Document Format most commonly read by the application Adobe Acrobat.
      • .doc: Microsoft Office Word Document
      • .xls: Microsoft Office Excel Spreadsheet
      • .jpg or .jpeg: JPEG image files
      • The most common malicious file types are .exe and .scr. These types of files run applications and are not necessarily dangerous. However, take extra precautions to verify that you are downloading them from a trusted source.
      • A comprehensive list of file types can be found at this site.

Additional tools to verify the security of any link you would like to visit:

  • AVG Link Scanner – this is an add-on you install for Firefox or Internet Explorer to detect threats and show you if a site is trustworthy or not.
  • Web of Trust – another add-on for Firefox or Internet Explorer that ranks millions of websites on relative security. You can use these rankings to browse sites you know you can trust, and avoid suspicious sites.
  • McAfee SiteAdvisor – One more add-on for your web browser that identifies trustworthy and untrustworthy sites.

 

2.3  Backing Up and Deleting Files

Backing Up Files: It is a good idea to have multiple copies of your important files for the many "just-in-case" moments that can happen. Sometimes computer crashes can cause you to lose all of your files. Sometimes files are confiscated by authorities. Sometimes you can accidentally delete an important file. In any case, backing up your files will save you the heartache of losing your hard work.

  • Physical copies: You can store copies of your writing on USB flash drives, CDs or with printed copies. For particularly sensitive information, you might decide to label your CD with a pop-music title as a security strategy. Also, keeping copies in different locations is a good idea: one at home, one at work and one with a friend. You might choose to keep the files in a less-than-obvious location in your home, or to separate sensitive files from one another to mitigate the risk of someone finding all of them at once.
  • Online storage: You can use your e-mail account as online storage by sending files as attachments to yourself. There is a limited storage capacity on your e-mail account, and there is no automatic update process, so you might consider using a program to upload and store files. DropboxMozy, and SpiderOak are all good options giving you free, secure storage for 2GB of files.

Securely and Completely Deleting Files: When you put a document into the Recycle Bin on your computer, and empty it, you have not completely eliminated all traces of the document. To erase all evidence of a document, you need to overwrite, or wipe the space on your hard-drive. This is the equivalent of using a paper shredder instead of a garbage can or recycle bin. You can download a free program, CCleaner or Eraser to make this process easy. These programs can be carried with you on a USB flash drive and then used with a public computer. It is important to be careful with this tool, as you can accidentally make some documents permanently irretrievable.

 

2.4  Using Public or shared computers

When you use a shared or public computer, it may be possible for other people to see your e-mails and IM chats and/or keep track of the websites you access and your e-mail contacts. You may want to take extra steps to keep your searches, browsing history and personal identity private. Here are some tips on how to do that:

  • Use private browsing mode, which will not store any of your session information. This means that anyone who logs onto the computer after you will not know what sites you visited, even if they look at the browser history; also, your passwords and other personal information will not be stored. Different browsers have different ways of enacting this mode:
    • ​​Firefox: Click on the “Tools” menu (an icon with three horizontal lines in the top right corner of the window) and select “New Private Window.” Alternatively, you can use the keyboard shortcut “Control + Shift + P.”
    • Chrome: Click on the “Tools” menu (an icon with three horizontal lines in the top right corner of the window) and select “New Incognito Window.” Alternatively, you can use the keyboard shortcut “Control + Shift + N.”
    • Safari: Click on File > New Private Window.
    • Internet Explorer: Click on Settings > Safety > InPrivate Browsing. Alternatively, you can use the keyboard shortcut “Control + Shift + P.” Note that we do not recommend using Internet Explorer because it is not as secure as other browsers.
    • If you are not sure which browser you are using, visit: http://www.whatsmybrowser.org/
  • Do not check any box that says “keep me signed in” or anything similar. If you do, your account will stay logged in even after the browser is closed. This can be convenient if you are the only one who uses a computer, but on public or shared computers, this means that anyone can access your account after you are done using the computer.
  • Never leave a computer unattended while you are signed in. Someone can easily access your information, even if you are only away for a moment. It’s best to completely sign out of any accounts before walking away from a computer; you can always sign in again when you get back.
  • Be aware of your surroundings. Someone may be looking over your shoulder to try to watch your fingers as you type a password, or they may be able to see your screen as you are accessing private information. Some internet cafes have cameras; these can be great for preventing theft, but they can also record your activity.
  • Avoid confidential transactions. Try to avoid using a public or shared computer to log into a bank account or other online service that involves confidential information. You should also avoid entering your credit card information on any public computer. If you must do so, use extra caution—take a look at our advanced tips for more information.
  • Protect passwords or other sensitive information from keyloggers. Keyloggers are programs that can record your keystrokes, and they make it easy for hackers to access information such as passwords, credit card numbers, and other sensitive data. Unfortunately, keylogging programs are fairly common on public computers, but there is one thing you can do to easily “trick” these programs:
    • As you are entering a password or other sensitive information, pause in between letters (or characters) and click anywhere in the browser window that is *outside* of the field where you are typing (do not click a link that will take you to a different page; you want to stay on the same page). Now, type a few random letters (they don’t need to appear on the screen), and then return to the field where you were typing and continue entering your password (or other information). The keylogging program will think that the random letters you typed were part of your password, and it will therefore not be able to steal your password (or other information).
    • For more details on this technique, check out this article
 
2.5  advanced Tips
  • Edit the Timestamp on your blog post. If you are using public computers that maintain a log of users or monitor usage with video cameras, this will lessen the likelihood that your blog post would be associated with you when you accessed the computer. If you are frequently blogging around the same time of day, delaying your post time may prevent others from noticing your habits and identifying you.
  • Use a proxy server (web proxy): Open proxies are servers that act as an intermediary between the person surfing the Web and the information they request. Very simply, it allows dozens to thousands of people to share an IP address different from their own. By masking your IP address you add a high level of anonymity to your online presence. The main downside to proxies is that since they send a request for information to another server instead of directly to the page you are requesting, they can significantly slow you down.
    • IP Address: IP stands for Internet Protocol. Your IP address is a unique number assigned to a computer network. If you are using a router to connect multiple computers to the Internet, all computers will be identified with the same number. It looks similar to this: 96.193.7.192. You can check your IP address at What is My IP Address.
    • Even though your IP address cannot be tracked through highly anonymous VPNs such as Tor, traffic can be monitored as it enters and exits the network. Remember to check your IP address before accessing pages with your proxy to make sure it is fully functioning.
    • Besides providing anonymity online, proxies can also allow you to access content or Internet services that authorities may have blocked. One of the most popular forms of censorship on the Web is called content filtering. This is usually used by governments to block websites, e-mail servers or social networking sites. For example, when protests in Iran broke out last year, the government shut down access to Twitter in an effort to silence voices of dissent. Using Web proxies, people were able to access Twitter and share information with the world.
    • Recommendation: Tor is an excellent, sophisticated tool for circumventing Internet filtering and helping protect your anonymity online. One drawback is that it is slower than other solutions for browsing, and it can be harder to set up than other tools. The Tor Browser Bundle takes care of all the setup and using a Tor bridge may help speed up access.
  • Another option is a Virtual Private Network. These all require you to download software and thus cannot be used on public computers. Once you access the network, your communication is encrypted and not visible to those outside of the network. One free VPN is UltraVPN. This service masks your Internet connection by connecting you to servers in France. This allows you to access blocked content, securely e-mail and instant message and protect your computer if you're accessing Wi-Fi out-and-about. If anonymity is crucial to your safety, another option that is more complicated is Tor. Global Voices has created a guide to Tor that can be accessed here: Global Voices' Anonymous Blogging with Wordpress and Tor.
    • Use a proxy server when creating an e-mail account to prevent your IP from being logged with the website and your account.
    • Remember to check your IP address before accessing pages with your proxy to make sure it is fully functioning.
  • Free Encrypted E-mail: E-mail identities can be easily forged, so depending on what you are sending and who you are sending it to, providers such as Hushmail may be an ideal solution. They use an encryption program called PGP/GPG (Pretty Good Privacy/GNU Privacy Guard), which uses a series of keys to code and decode the e-mail. PGP/GPG also verifies the identity of the sender and receiver to ensure maximum control over your communication. For more information Rise Up provides an in-depth explanation of the process.
  • Disposable E-mail Addressing (DEA): DEA accounts are available for a period of time from 10 minutes to three months depending on your needs. Your account information is then deleted when they expire. Since they each function differently, read through the FAQs before using. Be aware that with some services such as Mailinator and TempEmail, all e-mails are viewable by whoever accesses the website.
    • When registering with any account, only share information that is required. Addresses, phone numbers, etc. are usually optional. Providing them can expose you to unnecessary risk. You can also use pseudonyms for this process. DEAs can backfire on you if you forget your password. Forgotten passwords can usually be retrieved, but only with the e-mail address that is on file with your account.
    • Resources:
      • 10 Minute Email forwards mail directly to the 10 Minute Email website for 10 minutes. If you need more time, you can extend the period for an additional 10 minutes.
      • Guerilla Email is available in English, Spanish, Polish, German and Dutch. Accounts are active for 15 minutes.
      • Meltmail forwards e-mails to your account for a designated period of 3, 6, 12 or 24 hours and then expires.
      • Filzmail is active for 15 minutes and has the additional option of forwarding e-mails to an RSS Feed. If you use this option remember to delete your feed before ending your browser session.
      • Mail Expire creates an e-mail address that is active from 12 hours to three months.
  • Instant Messaging (IM) and Online Chatting: Instant messaging is one of the least secure ways to communicate over the Internet. Sensitive information should be shared at a minimum while instant messaging due to the ease of intercepting messages and eavesdropping on conversations. The most secure option for IM is a plug-in called Off the Record messaging (OFR) which can be used with the IM software called Pidgin. Always explore your Preferences to find additional security options that may be specific to that software.
    • Skype and Google Chat inside HTTPS-secured Gmail are good options if you believe that your accounts will not be targeted by hackers. A much more secure option is using Pidgin to access a number of chat clients (Google Talk, etc.) with the Off The Record (OTR) plug-in -- this ensures that even with your encryption keys, any previously logged data will be worthless. Read more about OTR’s security properties to understand an example of Privacy by Design.
  • Use TLS/SSL encryption when possible. You will know if you are visiting an encrypted website because the address will begin with “https,” and there may also be a lock icon in the address bar. These websites are extra-safe.

 

3.  Additional Security Manuals

World Pulse and Reporters Without Borders have collaborated to create a safety manual for citizen journalists. You can download the file here: World Pulse Safety Handbook.

These are some additional resources for you to consult when creating your personal security strategies: