Knowledge roundups are created in response to questions raised by members of the Global Grassroots Support Network (GGSN), an initiative building upon the Blueprints for Change project. The GGSN is building a community of practice that brings together projects supporting grassroots justice-oriented** activist groups in multiple regions and continents. The objective is to share knowledge around common challenges that these groups face, and how each project has solved for them. Questions are raised to other GGSN members to compile the knowledge and resources we have to respond.
In this roundup, we responded to the question: What does online security look like for your group? What platforms do you use for that?
**See the following document for the GGSN definition of “grassroots.”
GGSN community answers
- Platform switches and ‘hygiene’ practices
Blueprints for Change has a guide on the basics of digital security for campaigners (though it might be a bit out of date by now. Things in this guide that will never get old have to do with basic ‘hygiene’ practices, like 2FA (two-factor authentication for logins) and password keeper programs and OS updates. These are easily forgotten by team members, making individual members’ devices and platform access the most vulnerable points in any group digi security approach.
Repower offers a course for digital campaigners. In one of their workshops they suggested:
- Using a password manager like LastPass in order to safely share passwords and use good passwords
- Switching from SMS to Signal
- Turning on two-factor authentication (2FA) for services like Google, Facebook, and your password manager
- Encrypting your devices — computers, tablets, cell phones. Try HTTPS everywhere online communication encryption.
- Using the right platforms
When the Climate Justice Organizing HUB got started, we got a rough and thorough ‘schooling’ by a hardcore activist expert on digi security. Basically, we were told, through real-life scenarios, everything that could go wrong when compiling and hosting data on a large network of activists (as we were bound to do in our work). This led us to use only double-encrypted platforms, whose providers could not hand over our data in response to court orders.
Of course, there is an added level of friction and work with partners not used to these alternatives but in the end, the risk of leaking a bunch of compromising activist info outweighed the trouble it took to avoid it.
We swapped the following platforms:
- Instead of google suite, we use Cryptpad.fr. The company is based in France, which might cause technical challenges for some. You can set up your own server, if you have the tech support to do so.
- Instead of gmail we use Protonmail and if we are not booking low-risk public events, we keep our secure meetings noted on Proton Calendar, which comes with paid Protonmail
- Instead of Slack, we use Keybase
- If we have extra security concerns around phone calls, we use Signal
- Encrypted email: Proton mail. Tutanota is an alternative.
- Secure cloud storage: Mega. Bonus: it’s free!
- Secure note-taking app: Standard notes. Bonus: there’s a free option!
- Secure video conferencing: Wire. Also lets you communicate and share files; all-in-one collaboration tool. Jitsi is an alternative, and signal might be an option to try for smaller group calls.
- File sharing app: Onionshare. Peer-to-peer sharing using the Tor network. If you experience slow transfer times, you can also check out these other platforms.
- Secure instant messenger: Signal. End-to-end encryption, open-sourced.
- Secure communication tool: Element. Secure, encrypted alternative to slack.
- Secure document service: Cryptpad. Open-source, end-to-end encrypted. Alternative to cryptpad is Skiff. It offers encrypted docs with templates, email and a decentralized drive. Fewer document types than cryptpad.
- Password manager: Bitwarden. 1password is an alternative.
- Threat modeling
On top of the above, it’s important to model threat scenarios with your team and to come up with crisis scenarios, where the team knows what to do if ever a subpoena to hand over data comes in or someone’s devices are compromised.
Access now has a ‘first look at digital security’ booklet to help you understand what you want to protect, or your “threat model.” The document introduces four user personas with suggestions for each.
- De-escalation and self-protection
The toolkit can help activists understand basic steps to protect themselves from attacks online and in person, such as recommended online secure communications platforms and tools, and tips for far-right confrontation and de-escalation.
- Finding further support
Access Now has a digital security helpline available 24/7. They can provide support in English, Spanish, French, German, Portuguese, Russian, Tagalog, Arabic, and Italian.
Email the helpline and you’ll receive a response within 2 hours. They will then seek to confirm your identity and secure the conversation. Following, they can provide:
- Rapid response for digital security incidents
- Personalized recommendations, instruction, and follow-up support for security issues
- Help assessing risks and creating security strategies
- Guidance and educational materials on security practices and tools
- Support for securing technical infrastructure, websites, and social media against attacks
- Referrals, capacity-building, consultations and training
Sources of info cited in this roundup included:
- Blueprints for Change: https://blueprintsfc.org/
- Repower: https://repower.org/
- The Climate Justice Organizing Hub: https://lehub.ca
- Access Now: https://www.accessnow.org/
- Make Use Of: https://www.makeuseof.com/
- Rural Organizing: https://ruralorganizing.org/
Individual contributors to the knowledge roundup have been anonymized.
This knowledge roundup was prepared by: