My colleague Alexandra Combes writes:
A remarkable resource has been created by the Digital Defenders in partnership with the Electronic Frontier Foundation, Access and a group of human rights NGOs with the release of the Digital First Aid Kit - a well-designed website addressing digital emergencies of varying kinds.
The resource covers basics for secure communication, establishing trust, how to react in the case ofaccount hijacking and devices that are seized, stolen or lost, plus mitigation for malware and DDoS. The most important dimension of the kit is the way it simplifies these difficult concepts for less technical users.
While some might be put off by the different sections having technical titles that make it hard to work out which category their particular situation actually matches, the descriptions really do work for the non-technical reader.
The Kit starts with the necessary self-discipline of choosing secure communication, stating that most of usual communications tools are not as secure as one can hope:
"Mobile and landline phone communication is not encrypted and can be listened to by governments, law enforcement agencies, or other parties with the necessary technical equipment. Sending unencrypted communication is like sending a postcard, anyone who has access to the postcard can read the message."
The solution here is naturally the use of encrypted communication. The Kit explains:
"Sending encrypted communication is like placing the postcard inside a safe and then sending the safe, which only you and those you trust know the combination to and are able to open and read the message. [...] Choosing the most appropriate form of secure communication will depend on your unique situation, your threat model and the activities in which you are involved."
It then goes through various emergency situations that can arise, including account hijacking and dealing with the loss, theft or seizure of a device:
"Are you having a problem accessing an email, social media or web account? Does an account show activity that you do not recognize? There are many things you can do to mitigate this problem. [...] Is your device lost? Has it been stolen or seized by a third party? In any of these incidences it is very important to get a clear picture of what happened, what kinds of data and accounts may be vulnerable as a result and what steps must be taken to prevent the leaking and misuse of your information, contacts and accounts."
Dealing with malware is less familiar to most users, but certainly no less concerning:
‘"Malware’ is malicious software that facilitates an unauthorized takeover of your device by another user, government or third party to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage. Malware is used to gain control of devices. It exploits access to the device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers."
Distributed Denial-Of-Service mitigation - DDoS - comes last:
"A threat faced by many independent journalists, news sites and bloggers is having their voices muted because their website is down or defaced. In many cases, this maybe an innocent and frustrating problem, but on occasion, it may be due to a ‘denial of service’ attack or a website takeover."
The Kit concludes with a more technical section on establishing trust to help understand the tools aimed at maintaining secure conversations with only the person we think we are conversing with. Take a look and pass it on to someone you know.