By Sophie Kloos

A few days ago, NGOs and media outlets uncovered that at least ten authoritarian governments around the world have been using surveillance technology to target human rights activists, political opponents and journalists. The hacking software that was used for surveillance, called Pegasus, allows the user to take control of a phone, extract any data stored on it - even the content of encrypted messaging apps - and to secretly activate cameras and microphones. The discovery of this surveillance method has made major international news headlines because it does not only demonstrate that surveillance methods are becoming increasingly sophisticated, but it also painfully dispels the myth that innocent people are safe from unwarranted surveillance. 

As an international network of human rights defenders who research information for asylum claims, we are acutely aware of the potential security risks associated with our work. We often try to dig up facts about highly sensitive human rights issues, specific people or recent events. For example, we may try to find evidence that a person seeking asylum has been a member of an opposition party in a country where this can provoke deadly consequences. In such instances, we need to take utmost care not to put at risk that person, their family and friends in the country of origin and/or anyone who helps us uncover relevant information. Protecting your data online is therefore not only about your own right to privacy, but it has the potential to be life-saving for those you are supporting.

Asylos' network of volunteers has been researching information for asylum claims for over ten years now, and privacy has always been a major concern. In the past, we have sought training and advice from several data protection and security experts, including Dan Ó Cluanaigh, project lead and co-author of 'Holistic Security: A Strategy Manual for Human Rights Defenders'. We have learned that there is no one-size-fits-all approach to the issue. If you are concerned about your cyber security, you first need to carefully assess what information really needs to be protected and against whom. However, there are some very simple baseline habits that we ask all Asylos researchers to adopt, and which we can recommend to every researcher, NGO case worker or asylum lawyer retrieving information via the internet.

Make sure no one can easily access your emails

The most straightforward way for an attacker to access our emails is through simply breaking the password to our email account. As it’s difficult to remember passwords, we tend to use passwords that are too simple. Web services like My1Login's Password Strength Test can give you an idea how easy it is for someone armed with the right software to crack a password: you need just a few milliseconds to crack the password “123456” (which has been heading the list of the most popular passwords every year since 2013), but also other combinations – especially based on common English words – like “IloveEric” are cracked within less than a second. Stronger passwords are much, much more difficult to crack. To strengthen your password, don't use dictionary words or any personal information such as your date of birth or the name of the person you're in love with, but do make it long and use a mix of letters, characters and numbers.

Also, be aware of the “security question” that some providers like Google ask you to access your account in case a password is lost. You need an equally sophisticated answer as for the log-in – “pony” in response to “what is your favourite animal” is as vulnerable as loving Eric.

Use a different password for each of your online accounts and change your passwords regularly if possible. An easy way to create and remember strong passwords is by using a password manager such as KeePass, 1Password, Dashlane or LastPass.

Regardless of your password strength, it is always a good idea to protect your online accounts with two-factor authentication. Setting up two-factor authentication means that signing on to your online account from a new device will require you to enter a code that is usually received via email, text message or through an app on your phone and needs to be re-entered every 30 days. Obviously, any device that you are using to conduct research or to manage two-factor authentication should also be secured with a strong password, especially if you carry them with you in public.

Hide your personal information when browsing the internet

The very basic rule when searching information on the internet is to log out of your email and social media accounts. The risk that your online steps can be traced back to you is quite high when being logged into an account, even when the corresponding tabs are closed. Opening a new browser window in incognito mode is a good way to make sure you’re logged out of accounts. However, be aware that in most browsers (including Chrome), the incognito mode doesn’t protect you from being tracked. To self-test what data might be exposed by your browser at any given point in time, you can use the Privacy Analyser Tool.

If you want to increase your privacy one step further, use the TOR browser that masks your IP address, making it impossible to reveal your geographical location and facilitating anonymity online. As with a Firefox, Chrome or other browsers, you simply download and install TOR and open the browser to access the internet.

You can use an ad-blocker to mitigate the risk of being tracked online or infected by malware. Our suggestion is uBlock Origin, a free and open source browser extension, which is available for Chrome and Firefox.

In addition, you may want to ensure that your connections are encrypted. We recommend installing HTTPS Everywhere. This extension ensures that, if available, your connection to a website is made through HTTPS rather than only HTTP. The “s” stands for secure and indicates that connections are encrypted. Most websites, such as Facebook or Gmail, are using HTTPS by default, but there are some where this is not the default behaviour.

Protect documents you share online

Cloud Services like Google Drive and DropBox are very handy, as they allow to share and collaborate on documents. But should those documents contain sensitive information, you are better advised to use providers like Spider Oak's CrossClave or Team Drive, unless you know how to upload encrypted files. They require a small financial investment but apply “zero knowledge” policy, which means that all your uploaded data is readable to you only, and that none of the data is stored elsewhere.

Have online conversations no one can listen to

Jitsi Meet allows you to have an online video conversation without creating an account. That means that you can have a one-time conversation with someone simply by sharing a link, and that you don’t have to include them in your contacts, which would allow you to see whether the other person is online or not. It’s currently one of the most secure video conferencing systems: the connection between all participants is encrypted. It is also open source and can be run on your own servers, giving you complete privacy. In addition to the audio or video-conferencing, you have a text chat, a shared document and screen-share function that are easily accessible with a click on the screen. Signal now also allows fully encrypted video calls from your smartphone. Zoom, which came under attack for security weaknesses when it experienced a massive surge in users in the beginning of the Coronavirus pandemic, has more recently focused on strengthening its privacy and security measures and has launched end-to-end-encryption. If you are using Zoom, you can refer to their guidelines on how to make your call as secure as possible. 

Even when being aware about potential security glitches, none of your data is completely safe on the internet. In the end, when handling extremely confidential information, you might want to consider offline means of communication. Also, security challenges and responses change quickly, and it’s important not to leave the issue of data protection to your IT department, but to understand what happens when you are communicating on the internet.

Tactical Tech has a wealth of resources that help you understand what digital security is and how you can protect yourself and the people you are working with. For example, their Security in Box guide covers the basic principles of digital security.

Have you got any other tips to conduct human rights research online safely and securely? Leave a comment below to share them with us.

An earlier version of this post, authored by Raphaelle Pluskwa and Ellen Riotte, was published on the Asylos blog in December 2019. This post was updated to reflect recent developments on the topic.