How to research safely on the internet by Raphaelle Pluskwa and Ellen Riotte Four tips on how to protect your data when researching online information for asylum claims Everyone knows that defending human rights around the globe can be a risky business. But even when sitting safely in front of a computer in Europe researching information for an asylum claim, we should be concerned about security: very often, we are trying to dig up facts about highly sensitive human rights issues, specific people or recent events. For example, when looking for evidence that an asylum seeker’s brother was killed in a pro-independence demonstration in Chechnya to prove that a similar fate might await him if he is returned, or when trying to find evidence that an asylum seeker has been a member of an opposition party in a country where opposition to the government can provoke deadly consequences. While asylum seekers themselves are safe in Europe during those investigations, their family and friends are not, and neither are those who help you find the information. Protecting your data online is not anymore just about your own right to privacy, but potentially a life-saving habit. For five years Asylos researchers have been researching information online for asylum claims, and privacy has always been a major concern. We spoke to Dan Ó Cluanaigh, who has conducted trainings for Asylos researchers about data protection, and asked him to share a few tips on how to protect the researcher’s and the asylum seeker’s data when looking for information on the internet. Dan has worked on security and protection of human rights defenders through advocacy, research and training, and since 2012, he has been specialising in digital security. His current projects include working with the Tactical Technology Collective on a ‘holistic’ security manual for human rights defenders, which will be available next year. “We treat the online space like a public space where we can come to communicate with people but the fact is that it doesn’t belong to the public, it is in large part under private control”, explains Dan. “We are being allowed to be on private property for free, we don’t have to pay to use social networks, email services… But even though we are not paying with our money we are paying with our data and profile”. Unfortunately, there is no one-size-fits-all approach to the issue. If you are concerned about your cyber security, you first need to assess carefully what information really needs to be protected and against whom. However, there are some very simple habits that Dan recommends every researcher, NGO case worker or asylum lawyer adopt when retrieving information via the internet. Make sure no-one can easily access your emails The most straightforward way for an attacker to access our emails is through simply breaking the password to our email account. As it’s difficult to remember passwords, we tend to use passwords that are too simple. Web services like Passfault let you check online how long it takes for someone armed with the right software to break a password: you need just a few secondsto crack the password “123456” (which headed the list of the most popular passwords in 2014), but also other combinations – especially based on common English words – like “IloveEric” are equally quickly cracked. (Attention: don’t use your real password when checking, as we don’t know what Passfault does with the data!). However, if we use stronger passwords – such as phrases with several words, characters and numbers – it becomes much more difficult to break. An easy way to create and remember strong passwords is to use Keepass, an open-source password manager. Click on “downloads” on the right and choose the professional edition 2.30 – the system will guide you through installation process. Also, be aware of the “security question” that some providers like Google ask you to access your account in case a password is lost. You need an equally sophisticated answer as for the log-in – “pony” in response to “what is your favorite animal” is as vulnerable as loving Eric. Protect documents you share online Cloud Services like Google Drive and DropBox are very handy, as they allow to share and collaborate on documents. But should those documents contain sensitive information, you are better advised to use providers like Spider Oak or Team Drive, unless you know how to upload encrypted files. They require a small financial investment (around 8 Euros per month) but apply “zero knowledge” policy, which means that all your uploaded data is readable to you only, and that none of the data is stored elsewhere. Have online conversations no-one can listen to Contrary to Skype, Jitsi Meet allows you to have an online video conversation without creating an account. That means that you can have a one-time conversation with someone simply by sharing a link, and don’t have to include them in your contacts, which allows them to see if you are online or not. It’s currently one of the most secure video conferencing systems: the connection between all participants is encrypted. It is also open-source and can be run on your own servers, giving you complete privacy. In addition to the audio or video-conferencing, you have a text chat, a shared document and screen-share function that are easily accessible with a click on the screen. Jitsi is as easy to use as Skype but there is no risk it would share users’ information with authoritarian governement, as did Skype in China… Hide your personal information when browsing the internet The very basic rule is that when you are searching information on the internet, you should logout of your Gmail or Facebook account. Even when the tabs are closed, both Google and Facebook will continue collecting information about the websites you accessed. If you want to increase your privacy one step further, use the TOR browser that masks your IP address, making it impossible to reveal your geographical location and facilitating anonymity online. As with a Firefox, Chrome or other browsers, you simply download and install TOR and open the browser to access the internet. Even when being aware about potential security glitches, none of your data is completely safe on the internet. In the end, when handling really confidential information, you might want to consider other means of communicating them. Also, security challenges and responses change quickly, and it’s important not to leave the issue of data protection to your IT department, but to understand what happens when you are communicating on the internet. As Dan stresses, “the most important tool is curiosity and the desire to learn about digital security. The softwares will come and go, so being able to respond and react to the changing circumstances is vital.” Security in Box, a guide that covers the basic principles of digital security, is a good point to start. To learn more about the data industry and how one might being tracked, the Me and My Shadow project also compiles a whole lot of helpful resources that will enable you to understand what is digital security, and how you can protect yourself and the people you are working with.