A guide to online security for activists
The last year has seen an uptick in digital threats faced by individuals and organizations around the world, and those working on the question of Palestine are no exception.
Over the past few months, there have been attacks on boycott, divestment and sanctions (BDS) movement websites, threatening emails to activists and new information emerging on Israel’s surveillance capabilities.
“The latest cyber-attacks against BDS seem to be part of a full-fledged Israeli war on the movement that includes McCarthyite legal repression, use of intelligence services and yet more funding for ‘brand Israel’ propaganda,” said Mahmoud Nawajaa, the general coordinator of the Palestinian Boycott, Divestment and Sanctions National Committee (BNC). “These attacks smack of Israel’s despair at its growing isolation around the world, after failing for years to stem the growing support for the nonviolent BDS movement as a strategic and effective means to achieve Palestinian rights under international law.”
Following several new stories involving digital threats to BDS and solidarity activists, I started speaking with different people in the movement to learn more about the specific concerns faced by individuals.
The concerns they raised vary, as do the threats they perceive to their work and the work of others, but everyone I spoke with agreed that digital threats to the movement are on the rise.
Omar Barghouti, a Palestinian human rights activist and co-founder of the BDS movement, told me that the common response to such threats has been “to further enhance our electronic security but without panicking or adopting stringent measures in that regard.”
Barghouti says that an “unexpected common outcome” of such attacks “has been to raise the morale of activists who feel further reassured about the effectiveness of the human rights campaigning that we are conducting.”
Although such attacks can serve as an affirmation, they are nevertheless a hindrance to important work.
This article serves as a concise resource to address the most commonly cited concerns. It is by no means exhaustive, but should provide a series of first steps toward improving digital security for activists and organizations.
Problem: Solidarity websites are regularly experiencing distributed denial of service (DDoS) attacks.
As eQualit.ie – an organization that provides free and open source digital security for civil society – reported in June, there were six recorded incidents against bdsmovement.net, the high-profile website of the BNC between February and March of 2016.
Ali Abunimah of The Electronic Intifada, which has experienced DDoS attacks as well, observed that the attacks “look like another element of Israel’s increasingly aggressive effort to silence the BDS movement by all means.”
The technical report from eQualit.ie “uncovers important evidence that the distributed denial of service (DDoS) attacks carried out on the main website of the BDS movement and websites of other groups critical of Israel’s occupation and violations of human rights are complex and highly coordinated,” Barghouti said. “We’re encouraging all of our partners to use anti-DDoS services such as the Deflect service provided by eQualit.ie and to encrypt their communications wherever possible.”
A DDoS attack can prevent a website from functioning efficiently, temporarily or indefinitely.
Typically, the attack saturates its target with server requests designed to flood its bandwidth, leaving the server incapable of responding to legitimate traffic. To the user, this results in an inability to access the site in question.
Although a DDoS attack can be leveraged against any website, journalists and activists are frequent targets. And where a corporation or government may have the resources to fend off such an attack, many smaller organizations or individuals don’t know what to do when they experience one.
What you can do:
- The eQualit.ie Deflect service – which was employed to protect bdsmovement.net – offers DDoS protection to eligible organizations.
- Cloudflare’s Project Galileo provides DDoS protection for at-risk public interest websites.
- Regularly backing up your website is important and can ensure that even if a DDoS attack takes it offline, your content remains intact.
- Mirroring your site is another good option for ensuring that your content remains online during an attack.
Problem: Governments are monitoring and capturing communications and could use them against activists.
Three years ago, Edward Snowden, leaking information from the National Security Agency, demonstrated thecapacity of the United States and other world governments to spy on their citizens.
This built upon previous suspicions and information that governments have been conducting surveillance on the digital communications of their own citizens and of people in other countries.
“Israel’s military and intelligence services act with impunity. It seems highly likely that Israel is using them in its surveillance of electronic communications and phone calls of BDS activists in western countries, in contravention of these countries’ respective laws,” Barghouti said. “Governments must take action to protect their citizens from the intrusive surveillance of Israel’s intelligence services.”
Many organizations and institutions are working to combat surveillance by challenging the system through legal and legislative means.
At the same time, it is important that individuals and communities protect themselves by changing their habits and/or adopting new technologies that offer additional protection from spying.
Barghouti agrees. “We’re keen to raise awareness of the fact that while it’s important to take basic online security measures, Israel has huge cyberwar capabilities at its disposal so is likely able to intercept even encrypted communications – don’t communicate anything via telephone or online that you’re not prepared for your adversaries to intercept.”
The type of strategy you should take depends on what you’re trying to protect, and who you’re trying to protect it from – as well as the amount of effort you’re willing to put in, and the likelihood that you’re at risk.
Before changing your behaviors, it’s helpful to conduct a risk assessment by thinking through some questions about your work and lifestyle.
What you can do:
- Mobile apps that employ end-to-end encryption and allow users to verify one another using fingerprintsinclude Signal, WhatsApp, and Wire, all of which also have desktop and encrypted voice calling options. It’s also possible to add end-to-end encryption to many messaging tools, including Facebook, by using desktop apps Adium or Pidgin along with off-the-record (OTR) messaging.
- Device security is also important. Understanding how mobile phones can be insecure can help you make informed decisions about how you use them in your advocacy.
- For more information and guides on how to use some of these tools, see the Electronic Frontier Foundation’s Surveillance Self-Defense or Security in a Box, a project of the Tactical Technology Collective and Frontline Defenders.
Problem: Facebook groups and other communities are often infiltrated, putting individuals and their networks at risk.
Student groups, both activist and academic in nature, have long expressed suspicions that anti-Palestinian political groups are spying on them. In 2014, The Electronic Intifada published documents demonstrating that a student spied on members of a University of California “conflict analysis” group called the Olive Tree Initiative and reported back to the AMCHA Initiative, an anti-Palestinian group “behind a number of initiatives to silence and intimidate students and teachers perceived to be critical of Israel.” The AMCHA Initiative was co-foundedby Tammi Rossman-Benjamin, a lecturer at the University of California, Santa Cruz.
Online, digitally savvy organizations employ similar tactics. Canary Mission, which launched in April 2015, targets campus BDS activists, tarring them with labels like “fake Jew” with the “stated aim of denying future employment opportunities to the students they had targeted,” journalists Max Blumenthal and Julia Carmelwrote last year.
There have also been incidents, some publicized, some not, in which members of pro-Israel groups and intelligence agencies have disguised themselves in order to infiltrate BDS or Palestine solidarity groups.
Many individuals I spoke with expressed concern that their online communities could be, or had been, infiltrated by those seeking to do harm. Most expressed that this threat came from groups that at least appear nominally independent from government (such as AMCHA).
When I asked a followup question – “Do you feel that you’re careful when accepting new friends on Facebook?” – several people admitted that they base their decision on the number of mutual friends they have with the person trying to add them, rather than on other trust factors (such as confirmation with a mutual friend that the person is known).
What you can do:
- When accepting friend requests from individuals you can’t immediately identify – even if you have many mutual friends on Facebook – check in with someone to verify the person’s identity.
- Check the privacy settings on your Facebook account. Facebook’s privacy checkup feature walks users through the various settings applied to posts, photos and other content and allows them to make changes, including ones that apply to all older content.
- Consider using encryption tools for more private communication. Facebook and other social networks can sometimes be vital for activists organizing across borders, but some conversations might be better off taking place using some of the more secure messaging apps mentioned above.
- Surveillance Self-Defense has more information on protecting yourself and your privacy on social networks.
Problem: Activists sometimes receive suspicious attachments or links in emails and aren’t sure how to assess whether it’s safe to open them.
In June, a number of Palestine solidarity activists received threatening emails from a group calling itself “Brigade Juive” (“Jewish Brigade” in French) that contained suspicious links.
Although the links were found not to contain malware, it’s important to be vigilant when receiving links and attachments.
Malicious content can pose huge risks to the security and privacy of your device. It can allow an attacker to record from your webcam or microphone, disable the notification settings for certain anti-virus programs, record what you type, copy your content, steal passwords and more.
What you can do:
- Follow your gut. If an attachment or link looks suspicious, take a few minutes to think about who the sender is, what the email says and other contextual clues.
- For further advice, read the Surveillance Self-Defense guide to protecting yourself against malware.
- Security in a Box contains a guide to protecting your device from malware and hackers.
Problem: It’s hard to convince people to use encryption.
A common response to the revelations about government surveillance has been “I have nothing to hide.”
In the American context, this response often comes out of privilege; the perception that one is doing nothing wrong or illegal and therefore has nothing to hide.
Much has been written about the phenomenon, and an article by Whisper Systems founder and Signal developer Moxie Marlinspike perhaps explains it most concisely: We won’t always know when we have something to hide (because structures of authority and threat models change), and sometimes we do have something to hide.
Marlinspike reminds us that free speech allows us to “create a marketplace of ideas, from which we can use the political process to collectively choose the society we want,” a process that sometimes results in agitating or advocating for changes to the law and involves discussion of the forbidden, something with which activists are well acquainted.
In talking with Palestinian activists, I found that the “nothing to hide” argument takes a different turn. “In the movement, we assume everything we say and do is monitored,” said Nadia Hijab of Al-Shabaka: The Palestinian Policy Network. “So, everything we do or say is above water. We feel we have nothing to hide. But it is kind of a spooky thing to think that if you write a person an email, that it’s being monitored.”
Barghouti expressed a similar sentiment: “Since we launched the BDS movement in 2005, we worked with the assumption that Israel can and will use advanced surveillance to monitor everything we communicate. A major advantage that the BDS movement has, however, is that it is anchored in the Universal Declaration of Human Rights, rejects all forms of racism and seeks to nonviolently pressure Israel’s regime of occupation, settler-colonialism and apartheid in order to achieve Palestinian rights under international law, just as apartheid South Africa was pressured. There is nothing clandestine about that.”
Another activist, who did not want to be named, told me that in the West Bank there’s a division between two realities. “If you have something to hide, you’re a militant, or planning something militant in nature. As long as you don’t do the act or are not planning to do anything, then you have nothing to hide.”
This can result in a false sense of security for activists or journalists whose work is legal or “above board,” whennew threats emerge – Israel has aggressively jailed journalists, activists and academics merely for comments they’ve allegedly posted on Facebook.
Furthermore, in a context where activists can be viewed as militants for using privacy-enhancing technologies, it can create an impossible conundrum: Use encryption, and risk getting labeled, or don’t, and risk getting in trouble.
“Not every tool or technique is applicable to every situation,” said Morgan Marquis-Boire, a senior researcher at the University of Toronto’s Citizen Lab. “What works for a journalists working on leaks in the US may not work for a human rights activist in the [Middle East and North Africa region].”
One idea that many privacy advocates agree on is that when more people adopt encryption, its use becomes normalized; in other words, the more people who are using it, the more difficult it becomes for others to accuse us of wrongdoing.
“Certain approaches rely on the principle that people don’t stand out in crowds,” Marquis-Boire explained. “In sensitive situations, where someone is likely to be under scrutiny, the observed use of certain security tools might be viewed as suspicious behavior. In such environments, the use of common software [like WhatsApp] that has strong security built in might be less suspicious.”
For those of us who are less at risk, using encryption can be an act of solidarity. Here’s how this practice can look in action: In 2004, an Italian project emerged called Cryptokitchen.
In order to encourage mass adoption of PGP, an encryption program that provides privacy and authentication for email and other communications, a group of activists created Cryptokitchen with the following tagline: “Crypto-Recipes 4 the masses, recipes and encryption for all!”
The idea was to practice and spread the use of encryption by using it to send innocuous (and delicious!) recipes to one another – perhaps an idea Palestinians can get behind.
There is no one-size-fits-all solution to any of these problems, but by taking small steps to improve our awareness and digital security (and the security of those around us), we can create a safer space in which to do our work.
- Access Now’s Digital Security Helpline offers round-the-clock assistance to civil society actors around the world, free of charge.
- The Digital First Aid Kit is helpful for individuals with digital security skills who have been tasked with helping individuals or organizations. It aims to provide preliminary support for people facing the most common types of digital threats.
- The Electronic Frontier Foundation’s Surveillance Self-Defense guide is available in 11 languages and aims to help users protect themselves from digital surveillance.
- The Tactical Technology Collective offers a number of useful guides designed to help users improve their security and privacy.
- Security in a Box contains digital security resources and guides in 17 languages.
- The Holistic Security Manual seeks to help individuals create a process to develop or improve personal strategies for security.
- Zen and the Art of Making Tech Work for You is a community-built resource especially for women and trans activists.
- Me and My Shadow helps users discover and remedy the digital traces they leave behind.
- LevelUp provides resources to those who are trying to teach digital security to their communities.
- May First/People Link “engages in building movements by advancing the strategic use and collective control of technology for local struggles, global transformation, and emancipation without borders” and offers highly recommended resources to its membership.
Jillian C. York is Director for International Freedom of Expression at The Electronic Frontier Foundation.