https://writers.wiki.apc.org/api.php?action=feedcontributions&feedformat=atom&user=TarrynAPC Writer's Wiki - User contributions [en]2026-04-29T17:55:04ZUser contributionsMediaWiki 1.43.7https://writers.wiki.apc.org/index.php?title=What_is_GenderIT.org&diff=570What is GenderIT.org2015-06-14T17:05:09Z<p>Tarryn: </p>
<hr />
<div>[[File:doc.jpg|thumb|200px]]<br />
GenderIT.org is a project of the Association for Progressive Communications Women's Rights Programme.<br />
<br />
Launched in 2006, GenderIT.org is a seminal resource site that provides feminist reviews and commentary on internet policies and cultures. It maps the intersections between women’s rights and sexual rights with internet rights issues, concentrating on bringing voices from the global South on these issues, since the discourse is often dominated by those from the North.<br />
<br />
The site is meant to be a '''think-tank OF and FOR''' women's, sexual and internet rights activists, academics, journalists and advocates from a range of disciplines and contexts. GenderIT.org provides a space for reflection, influence and advocacy on internet policies and cultures so that they meet women's needs and do not infringe on their rights. Thus it also serves as a resource and reference tool, with information on the key players, evolving terms and current debates.<br />
<br />
It started as a site monitoring policy developments in ICT and gender, and from its beginnings has been unique. Initially it was one of the first sites looking at ICT policy developments through a gender lens. More sites and individuals are now doing this, reflecting both the growth of the internet and the growing awareness of online misogyny. However, GenderIT.org remains a unique space for its focus on the global South, its focus on those working at the grassroots level (that is grounded in the experience of the women in the society in which they live), and for its emphasis on both advocacy and social justice.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=What_is_GenderIT.org&diff=569What is GenderIT.org2015-06-14T17:01:00Z<p>Tarryn: </p>
<hr />
<div>[[File:doc.jpg|thumb|200px]]<br />
GenderIT.org is a project of the Association for Progressive Communications Women's Rights Programme.<br />
<br />
Launched in 2006, GenderIT.org is a seminal resource site that provides feminist reviews and commentary on internet policies and cultures. It maps the intersections between women’s rights and sexual rights with internet rights issues, concentrating on bringing voices from the global South on these issues, since the discourse is often dominated by those from the North.<br />
<br />
The site is meant to be a '''think-tank OF and FOR''' women's, sexual and internet rights activists, academics, journalists and advocates from a range of disciplines and contexts. GenderIT.org provides a space for reflection, influence and advocacy on internet policies and cultures so that they meet women's needs and does not infringe on their rights. Thus is also serves as a resource and reference tool, with information on the key players, evolving terms and current debates.<br />
<br />
It started as a site monitoring policy developments on ICT and gender, and from its beginnings has been unique. Initially it was one of the first sites looking at ICT policy developments through a gender lens. More sites and individuals are now doing this, reflecting both the growth of the internet and the growing awareness of online misogyny. However, GenderIT.org remains a unique space for its focus on the global South, its focus on those working at the grassroots level (that is grounded in the experience of the women in the society in which they live), and for its emphasis on both advocacy and social justice.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=567General orientation for events coverage2015-06-07T19:40:05Z<p>Tarryn: /* Feminist Talks (blog posts) */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register create an account] and then navigate to [http://www.genderit.org/node/add/blog create feminist talk]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: [https://www.apc.org/en/node/20266/ #SectionJ: From footnotes to headlines] <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/what-does-it-take-create-feminist-internet What does it take to create a feminist internet?]<br />
<br />
[https://storify.com/APC_News/day-3-sexual-right-privacy-and-technology-common-c Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america Gender peripheries of the Internet Governance Forum in Latin America]<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Gender, sexuality and the internet]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 9th IGF: Feminist talks scale over the walls of internet governance]<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=566General orientation for events coverage2015-06-07T19:37:16Z<p>Tarryn: /* Feminist Talks (blog posts) */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register create an account] and then navigate to http://www.genderit.org/node/add/blog. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: [https://www.apc.org/en/node/20266/ #SectionJ: From footnotes to headlines] <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/what-does-it-take-create-feminist-internet What does it take to create a feminist internet?]<br />
<br />
[https://storify.com/APC_News/day-3-sexual-right-privacy-and-technology-common-c Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america Gender peripheries of the Internet Governance Forum in Latin America]<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Gender, sexuality and the internet]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 9th IGF: Feminist talks scale over the walls of internet governance]<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=565General orientation for events coverage2015-06-07T19:36:07Z<p>Tarryn: /* Newsletter edition */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog create an account]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: [https://www.apc.org/en/node/20266/ #SectionJ: From footnotes to headlines] <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/what-does-it-take-create-feminist-internet What does it take to create a feminist internet?]<br />
<br />
[https://storify.com/APC_News/day-3-sexual-right-privacy-and-technology-common-c Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america Gender peripheries of the Internet Governance Forum in Latin America]<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Gender, sexuality and the internet]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 9th IGF: Feminist talks scale over the walls of internet governance]<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=564General orientation for events coverage2015-06-07T19:35:15Z<p>Tarryn: /* Storify */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog create an account]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: [https://www.apc.org/en/node/20266/ #SectionJ: From footnotes to headlines] <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/what-does-it-take-create-feminist-internet What does it take to create a feminist internet?]<br />
<br />
[https://storify.com/APC_News/day-3-sexual-right-privacy-and-technology-common-c Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=563General orientation for events coverage2015-06-07T19:34:24Z<p>Tarryn: /* Twitter */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog create an account]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: [https://www.apc.org/en/node/20266/ #SectionJ: From footnotes to headlines] <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[What does it take to create a feminist internet?]<br />
<br />
[Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=562General orientation for events coverage2015-06-07T19:31:39Z<p>Tarryn: /* Articles/interviews */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog create an account]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/articles/stripping-igf-bare-where-are-women-s-rights Stripping the IGF bare: where are women´s rights?]<br />
<br />
[http://www.genderit.org/articles/interview-nana-darkoa-adventures-bedroom-african-woman Interview with Nana Darkoa: Adventures from the bedroom of an African woman]<br />
<br />
[http://www.genderit.org/articles/lets-talk-about-gender-analysis-lac-igf Let's talk about gender analysis in the LAC IGF]<br />
<br />
[http://www.genderit.org/articles/women-igf-now-we-need-mainstream-gender Women at the IGF: Now we need to mainstream gender]<br />
<br />
[http://www.genderit.org/articles/digital-world-2012-stories-end-violence-against-women Digital World 2012: stories to end violence against women] <br />
<br />
[http://www.genderit.org/articles/azerbaijan-when-online-security-synonymous-personal-safety Azerbaijan: When online security is synonymous with personal safety]<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: #SectionJ: From footnotes to headlines https://www.apc.org/en/node/20266/ <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[What does it take to create a feminist internet?]<br />
<br />
[Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=561General orientation for events coverage2015-06-07T19:29:39Z<p>Tarryn: /* Feminist Talks (blog posts) */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should [http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog create an account]. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/feminist-talk/how-technology-informs-my-activism-conversation-gender-and-technology-activists-barcel How technology informs my activism: A conversation with gender and technology activists in Barcelona]<br />
<br />
[http://www.genderit.org/feminist-talk/video-feminist-talks-feminist-internet Video: Feminist talks on a feminist internet]<br />
<br />
[http://www.genderit.org/feminist-talk/never-mind-nipples-sex-gender-and-social-media Never mind the nipples: Sex, gender and social media] <br />
<br />
[http://www.genderit.org/feminist-talk/how-crucial-anonymity-sexual-exploration-and-promoting-sexual-rights-activism How crucial is anonymity for sexual exploration and promoting sexual rights activism]<br />
<br />
[http://www.genderit.org/editorial/two-weeks-push-greater-recognition-our-rights Two weeks to push for greater recognition of our rights]<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Stripping the IGF bare: where are women´s rights?<br />
<br />
Interview with Nana Darkoa: Adventures from the bedroom of an African woman<br />
<br />
Let's talk about gender analysis in the LAC IGF<br />
<br />
Women at the IGF: Now we need to mainstream gender<br />
<br />
Digital World 2012: stories to end violence against women <br />
<br />
Azerbaijan: When online security is synonymous with personal safety<br />
<br />
<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: #SectionJ: From footnotes to headlines https://www.apc.org/en/node/20266/ <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[What does it take to create a feminist internet?]<br />
<br />
[Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=560General orientation for events coverage2015-06-07T19:25:04Z<p>Tarryn: /* Partners' relevant events */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/category/discussion-theme/genderitorg-12th-awid-forum-2012 AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should create an account http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
How technology informs my activism: A conversation with gender and technology activists in Barcelona<br />
<br />
Video: Feminist talks on a feminist internet<br />
<br />
Never mind the nipples: Sex, gender and social media <br />
<br />
How crucial is anonymity for sexual exploration and promoting sexual rights activism<br />
<br />
Two weeks to push for greater recognition of our rights<br />
<br />
<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Stripping the IGF bare: where are women´s rights?<br />
<br />
Interview with Nana Darkoa: Adventures from the bedroom of an African woman<br />
<br />
Let's talk about gender analysis in the LAC IGF<br />
<br />
Women at the IGF: Now we need to mainstream gender<br />
<br />
Digital World 2012: stories to end violence against women <br />
<br />
Azerbaijan: When online security is synonymous with personal safety<br />
<br />
<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: #SectionJ: From footnotes to headlines https://www.apc.org/en/node/20266/ <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[What does it take to create a feminist internet?]<br />
<br />
[Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=General_orientation_for_events_coverage&diff=559General orientation for events coverage2015-06-07T19:24:20Z<p>Tarryn: /* APC's projects related events */</p>
<hr />
<div>[[File:coverage.jpg|thumb|200px]]<br />
<br />
GenderIT.org and APCNews have both been recognised for the coverage done in events by readers and writers, becoming one of its substantial outputs when it comes to gender, internet rights and ICT policy arena. <br />
<br />
<br />
== '''What is the dynamic we propose to the team for an event coverage?''' ==<br />
<br />
<br />
GenderIT.org and APCNews commits to keep the core writers informed about any upcoming event of relevance for coverage, so the team is available and ready to go. Team meetings and email contacts will be the spaces to have these discussions and updates.<br />
<br />
The editorial teams team will develop a communications plan before the event, to make sure we are all on the same page, adding background information on the event, why it is relevant to our advocacy goals, what are the responsabilities of each one of us, what are the outputs expected, and what are the expectations in general.<br />
<br />
This plan will include orientation for work previously, during and after the event. Many times the event itself is just the tip of the iceberg: many other things will be needed before, during and after the event in terms of coverage. Please refer to the CSW case linked to this document to use as an example of what we mean by this.<br />
<br />
Once the event its happening, weather we are carrying an on-site or an off-site coverage, the editors will be in touch and available for the writers as much as possible to provide orientation, feedback on whatever is necessary and to make suggestions.<br />
<br />
As mentioned before, sometimes after a big event we prepare a newsletter edition. The content of this edition can be composed by on-site produced content, or in some cases of special materials - usually in-depth articles – commissioned to complement the on-site delivered content. <br />
<br />
One of the ways that the APCNews/GenderIT.org teams have of assessing and monitoring the reach of these editions is through a website statistics report done one month after the edition went out. This search tell us which were the most read materials, the number of visits to the website, the impact on social media, among other indicators. And our experience with these reports has showed us so far that GenderIT.org events coverages are quite successful. These reports can be shared with the team of writers if you consider it is a relevant resource for your orientation.<br />
<br />
<br />
<br />
== '''Events usually covered by GenderIT.org''' ==<br />
<br />
<br />
Even though coverage opportunities change, and our advocacy objectives might give more importance to some events over the others, the coverage that GenderIT.org usually does relates to these spaces:<br />
<br />
===''UN spaces:''===<br />
<br />
''Global Internet Governance Forum (IGF)''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-2010 2010 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-2011-internet-governance-forum 2011 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/IGF2012 2012 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-indonesia 2013 IGF coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/9th-igf-feminist-talks-scale-over-walls-internet-governance 2014 IGF coverage condensed in special edition]<br />
<br />
<br />
''Regional and national IGFs''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-peripheries-internet-governance-forum-latin-america 2013 LAC IGF coverage condensed in special edition] (full coverage in [http://www.genderit.org/es/edition/periferias-del-g-nero-en-el-foro-de-gobernanza-de-internet-en-am-rica-latina Spanish])<br />
<br />
[http://www.genderit.org/feminist-talk/asia-pacific-stakeholders-assert-human-rights-should-be-heart-internet-governance-disc 2014 Asia-Pacific IGF] (stand alone article)<br />
<br />
[http://www.genderit.org/feminist-talk/impacting-global-advocacy-tech-related-violence-against-women-through-regional-igfs Impacting global advocacy on tech-related violence against women through regional IGFs] (stand alone article)<br />
<br />
<br />
''Commission on the Status of Women''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/genderitorg-commission-status-women-2011-new-york 2011 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/end-violence-against-women-language-and-action-csw57th 2013 CSW coverage condensed in special edition]<br />
<br />
[http://www.genderit.org/edition/back-and-forth-advancement-womens-rights-csw58 2014 CSW coverage condensed in special edition]<br />
<br />
<br />
''UN Committee on the Elimination of Discrimination against Women (CEDAW)'' <br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/resources/cedaw-apcs-submission-commitee-general-recommendation-girls-women-s-right-education CEDAW: APC's Submission to the Commitee on the General recommendation on girls’/women’s right to education] (stand alone article/resource)<br />
<br />
<br />
''Universal Periodic Review''<br />
<br />
<blockquote>Example:</blockquote><br />
<br />
[http://www.genderit.org/edition/womens-human-rights-online-universal-periodic-review Human Rights Council's Universal Periodic Review (UPR)]<br />
<br />
<br />
===''APC's projects related events''===<br />
<br />
''On sexual and internet rights:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet-imagineafeministinternet Global Meeting on Gender, Sexuality and the Internet in 2014] (coverage in synch)<br />
<br />
[http://www.genderit.org/edition/gender-sexuality-and-internet Global Meeting on Gender, Sexuality and the Internet in 2014] (special edition)<br />
<br />
[http://www.genderit.org/edition/erotics-all-over-constellations-debates-sexual-rights-privacy-and-technology EROTICS project meetings in India and United States in 2013] (special edition)<br />
<br />
<br />
''On violence against women:''<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[http://www.genderit.org/edition/taking-control-technology-end-violence-against-women Take Back the Tech! campaign in 2011]<br />
<br />
[http://www.genderit.org/edition/power-stories-reclaim-womens-rights Take Back the Tech! campaign in 2012]<br />
<br />
===''Partners' relevant events''===<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[AWID Forum in 2012]<br />
<br />
<br />
Other local, regional or global initiatives or events related to access, FLOSS, media, human rights, among others.<br />
<br />
<br />
''CSW: A real case of coverage''<br />
<br />
We have attached one report featuring as an example the coverage planned and executed (including final statistical reporting) of the 2013 Commission on the Status of Women (CSW) session in New York. This will be a good case to read through in order to get a sense of how GenderIT.org and APC communications team work like during a relevant event coverage. Check it out here: [[Media:File:CSW case example.pdf]]<br />
<br />
== '''What kind of outputs do we expect from events' coverage?''' ==<br />
<br />
<br />
Writers attending to key events on behalf of GenderIT.org/APCNews or following them remotely are expected to produce certain outputs that will later feed an edition (if that is the case) or be featured on GenderIT.org/APC.org websites, on other APC websites when relevant, and on social media.<br />
<br />
<br />
<br />
=== ''Feminist Talks (blog posts)'' ===<br />
<br />
<br />
'''1.''' Feminist Talks doesn't have to be too long. Around 1500 words is perfectly fine, and we encourage to input as much insight and analysis as possible in the writing. It is usually personal and insightful.<br />
<br />
'''2.''' You can submit your inputs or engage in discussions around women's rights issues in GenderIT.org's Feminist Talk. To submit your blog you should create an account http://www.genderit.org/user/register and then navigate to http://www.genderit.org/node/add/blog. <br />
<br />
'''3.''' Make sure you have chosen a profile picture for you and a short byline for the “about” field. Other information is optional.<br />
<br />
'''4.''' You can also send your reflections and photos directly to genderit@apcwomen.org and we will upload them for you. You do not need to be registered to send a comment on other posts.<br />
<br />
'''5.''' Off-site team: Those following the event off-site can help with blogging by using the tweets sent by on-site team as input for their articles, as well as the webcasts when available. This is a good practice that allows us to produce more content and to help on-site team.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
How technology informs my activism: A conversation with gender and technology activists in Barcelona<br />
<br />
Video: Feminist talks on a feminist internet<br />
<br />
Never mind the nipples: Sex, gender and social media <br />
<br />
How crucial is anonymity for sexual exploration and promoting sexual rights activism<br />
<br />
Two weeks to push for greater recognition of our rights<br />
<br />
<br />
<br />
=== ''Articles/interviews'' ===<br />
<br />
<br />
'''1.''' Writers attending the event are expected to write sessions chronicles, articles on hot topics, or interview key advocacy referents. This can be in text format, or video, or an audio interview. It will depend on the kind of material and its quality (you might have a great interview in recorded audio but if the sound quality is not good enough, it is possible that it might have to be turned into a text piece).<br />
<br />
'''2.''' Some of the articles/interviews will be prearranged with GenderIT.org editorial team before the event, having in mind the people attending to that space and the topics covered.<br />
<br />
'''3.''' Criteria for writing articles (extension, depth) is detailed in the GenderIT.org's payment squeme (link) and shall be coordinated with the editors beforehand.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Stripping the IGF bare: where are women´s rights?<br />
<br />
Interview with Nana Darkoa: Adventures from the bedroom of an African woman<br />
<br />
Let's talk about gender analysis in the LAC IGF<br />
<br />
Women at the IGF: Now we need to mainstream gender<br />
<br />
Digital World 2012: stories to end violence against women <br />
<br />
Azerbaijan: When online security is synonymous with personal safety<br />
<br />
<br />
<br />
=== ''Twitter'' ===<br />
<br />
<br />
1. '''Make sure that you have a Twitter account.''' Make it open (otherwise people who are not following you – the ones we want to reach- won't be able to see your tweets). If you want to keep your Twitter account private you can create a new one for work. Make your user name as personal as you can, (eg: sonia_apc rather than womensprogramme_apc). People are more interested in personal opinions and views rather than organisational speech. Writers are expected to use their accounts for tweeting during events. <br />
<br />
2. '''We use the hashtags''': #genderit and #genderitES for Spanish. APC Twitter accounts are @APC_News @APCNoticias @APCNouvelles @GenderITorg @GenderITorgES.<br />
<br />
3. '''Find out and send us the Twitter accounts of partners/members attending''', so that we can follow them with the GenderIT.org and APC accounts.<br />
<br />
4. Sometimes, before an event, a set of predefined tweets is shared via email to facilitate the tweeting and the dissemination of our key messages.<br />
<br />
5. '''Once at the event, find out what hashtag people are using.''' Sometime there are various hashtags circulating. For instance, with CSW, tweeples could be using various tags — such as #CSW, #CSW59 or #CSW2012. Identify the most popular one. We'll use that hashtag for the box on APC.org.<br />
<br />
6. '''If this event does not have an active hashtag, we will set up one''', probably using somehow the name of the conference, so all tweeples can relate to. This way, you can easily follow the conversation and then create one page with all posts from the event for easy reference (check Storify below). <br />
<br />
7. '''Tweet (in English and/or in Spanish)!''' You can quote panelists and participants (short, summarised and catchy phrases) and/or your reactions to what it's being said, about conversations you have or overhear, your observations, soundbytes, links to interesting resources or news, photos, reminders about events. You can also reply to other participants; many times real participation takes. <br />
<br />
8. '''Re-tweet interesting stuff from other people:''' this will help us build our Twitter audience. <br />
<br />
9. '''Blog.''' Many times you can cut and paste some tweets and replies and make an interesting post with little effort. You can also use tweets for reporting or as a way of taking notes. <br />
<br />
10. '''Invite people to share their own writings:''' You will not be alone in the coverage of an event, so this other people are your allies. Contact them via Twitter or email to give them a heads up on the coverage plans and ask them to send you their stuff.<br />
<br />
Example: Are you going to be writing at #IGF? If so, I would love to include your post(s) in our ongoing event coverage. Send me a DM with a link to your post, and we’ll get it added to our site. <br />
<br />
11. '''Remote team:''' Keep an eye out on tweets, re-tweet conversations, reply and join conversations, and conduct deeper research on tweeted links. Engage as much as possible – we know it is hard not being present physically to follow up what is going on at the event, but we promise you that it is completely possible and useful.<br />
<br />
<br />
'''Tips for live tweeting:'''<br />
<br />
'''Make a plan:''' Choose your sessions in advance. If you are attending an event with multiple tracks, schedule which sessions you’ll be attending and covering in advance. If you don’t want to cover everything you sit in on, consider what your readers will benefit from the most. Once you decide what you will be covering, prep your posts with these basics to save time:<br />
<br />
- Name of the session and speaker: Make sure you can provide a bit of background about the speaker, including links to his/her company, Twitter handle, etc. <br />
<br />
- Details of the session: Is there a Slideshare or a programme available that you can review in advance? if so, it may help to type up the basic structure of the presentation and then fill in the details as you listen.<br />
<br />
'''Tip:''' Be careful. Some events are more private that others; if it's a small event make sure that people are OK with your tweeting.<br />
<br />
'''Bonus tip:''' If you have multiple people covering an event, set up a Google spreadsheet with the list of all sessions, times, and people covering the conference. From there, writers can indicate which sessions they are covering so they are not duplicating efforts.<br />
<br />
'''Decide on a writing platform.''' In addition to deciding which sessions you want to cover, decide how you want to capture information from each session. Because internet connections can never be relied upon 100 percent, we suggest to write in a text editor so you don’t have to worry about connectivity.<br />
<br />
Decide what kind of content to produce: There are a number of ways you can cover sessions at an event, and you should decide what format will work best for your audience before you get on-site. Here are a few general options:<br />
<br />
1- '''Live blogging:''' This is reporting from a session in real time.<br />
<br />
'''Pro:''' You can provide immediate coverage of an event.<br />
<br />
'''Con:''' Depending on how many posts you publish, your audience may feel a bit overwhelmed.<br />
<br />
2- '''Daily wrap-ups:''' This is providing highlights from the conference from each day.<br />
<br />
'''Pro:''' These posts are easy to digest.<br />
<br />
'''Con:''' It’s not a good option if your audience wants detailed information.<br />
<br />
3- '''Post-event coverage:''' Collect content that you can then use after the event. This content may be a bit more refined, and it could have a bit of a different spin than “straight coverage” of a session.<br />
<br />
'''Pro:''' You can focus on the best content from the event and in essence be a filter for your audience.<br />
<br />
'''Con:''' This is not a good option if the information is time sensitive, or there are a lot of other people covering the event quickly.<br />
<br />
Regardless of if you are publishing your content in real time or dripping it out, here are some ways to generate interest in your coverage:<br />
<br />
'''Announce what you will cover.''' If you are going to be changing your regular posting schedule and publishing live blogs throughout a conference, it’s a good idea to let your readers know. You can also use this post to announce if someone from your organization will be speaking.<br />
<br />
Example: Check out what #genderit announced that will be covering at the #CSW59<br />
<br />
'''Tease your session.''' If you are speaking at the event, you may want to write about your session before it occurs. Not only is this is a great way to repurpose content that you have spent a lot of time creating, but it also builds anticipation for your session.<br />
<br />
Example: Susan Marx wrote about an internet intermediaries’ guide to social media and online VAW fighting strategy, which was a preview of the presentation she gave last year at #CSW58.<br />
<br />
'''Step-by-step posts.''' One classic way to cover a session is to do a rundown of the ideas the speaker shared, following the same structure as the presentation. This is especially easy to do if the speaker is covering a process or another well-organized topic.<br />
<br />
Example: Susan Marx shared her wrap-up of a panel discussion on how to eradicate online violence against women at the #CSW59.<br />
<br />
'''Bonus tip:''' If you are doing live tweeting, you can use this: “I put a live blogging disclaimer at the top of the post that says, ‘I’m live tweeting, excuse lapses of grammar, spelling errors, and typos‘” <br />
<br />
'''Summary of tweets.''' Another fun thing you can do is follow the Twitter stream during the presentation and record the most insightful and popular tweets and share them in a post (check Storify below).<br />
<br />
Example: Missed the event and looking for a compilation of debates? Check our most tweetable moments from #CSW58<br />
<br />
'''A compilation of Instagram photos.''' There are a lot of intangibles you experience when attending an event. Capture them by taking photos or curating what others have shared and post that on Twitter (always remember to respect people's right to privacy and anonymity).<br />
<br />
Example: 45 GenderIT.org insider Instagram pics from workshops at #CSW58<br />
<br />
'''Wrap-up posts.''' When necessary, instead of covering individual sessions, consider writing a wrap-up post that outlines the key points you found most valuable or compelling, and share the link with a tweet that is appealing and captures the best of the article.<br />
<br />
Example: #SectionJ: From footnotes to headlines https://www.apc.org/en/node/20266/ <br />
<br />
After you do all your thing on Twitter, and the event is almost finished, you need to give it a bit of love. Here are some easy ways to increase the distribution of your conference content on Twitter (and this can also apply by email):<br />
<br />
- Include the event hashtag in the title of the materials you are posting on Twitter, since it is an easy way to help spread the word about your post and to have it automatically included in the Twitter stream.<br />
<br />
- Send your content to the event’s organizers too, contacting them via Twitter or email. While your audience will hopefully benefit from your coverage of the event, the event organizers will likely want to see and share your post, as well.<br />
<br />
<br />
=== ''Facebook'' ===<br />
<br />
<br />
1. Take Back the Tech (in English) and APC (in English, Spanish and French) pages are the only official Facebook pages APC uses. <br />
<br />
2. Writers are invited to post on Facebook using their personal accounts all links and photos considered relevant. <br />
<br />
3. Inviting people at the event to “like” the pages and to post relevant links as well is another possibility. <br />
<br />
<br />
=== ''Pictures'' ===<br />
<br />
<br />
1. We always appreciate having pictures to illustrate the articles or for some other purposes, so picture taking is more than encouraged.<br />
2. You can upload them to a Flickr account and share them with the editors, also by email, or upload it yourself to illustrate your output.<br />
<br />
'''Tip:''' Please remember that this entails security and privacy issues for the people in the pictures, so make sure that the people appearing in the image is fine with that. <br />
<br />
<br />
=== ''Storify'' ===<br />
<br />
1. Storify has been successfully used during some events to compile relevant tweets, Facebook posts, YouTube videos and other social media posts. It's a fast and easy way to compose blog posts-like content. <br />
<br />
2. Its also a very useful tool to condense and store in one place debates or interviews carried over Twitter, for instance (as in the first example below).<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
[What does it take to create a feminist internet?]<br />
<br />
[Day 3: Sexual Right, Privacy and Technology - Common Concerns Moving Forward]<br />
<br />
<br />
=== ''Newsletter edition'' ===<br />
<br />
<br />
Usually, after a big event coverage, a special GenderIT.org/APCNews edition is released (this is not always the case) but it is quite a key and relevant moment in GenderIT.org's editorial timeline, since it spikes our readership interest and it keeps us as reference points on the gender lensed coverage of events that are usually (if covered at all) covered from other perspectives.<br />
<br />
<blockquote>Examples:</blockquote><br />
<br />
Gender peripheries of the Internet Governance Forum in Latin America<br />
<br />
Gender, sexuality and the internet<br />
<br />
9th IGF: Feminist talks scale over the walls of internet governance<br />
<br />
<br />
== '''One last word''' ==<br />
<br />
<br />
''Before attending an event''<br />
<br />
1. Check all the publications/promotional material you can bring with you, and with staff members that live in your city. <br />
<br />
2. If you think the event is relevant enough for us to have some materials printed, let us know. <br />
<br />
3. Also check their luggage restrictions and if there's budget available to pay extra weight.<br />
<br />
<br />
''During the event''<br />
<br />
1. Remember to collect business cards of people you consider relevant.<br />
<br />
2. Offer attendees to sign up a sheet for our newsletters.<br />
<br />
<br />
''After attending the event''<br />
<br />
1. Report back to the team on how the event went and all relevant information.<br />
<br />
2. Type down the information you collected on the business cards and please send it to the team.<br />
<br />
3. Send us the suscribers email addresses for the newsletters and we will add them to our database. <br />
<br />
<br />
<br />
== '''Read more: Why are events' coverages important for GenderIT.org''' ==<br />
<br />
<br />
From February to September of 2014, GenderIT.org team carried an evaluation process to respond, among others, to these questions:<br />
<br />
''Is GenderIT.org reaching the audience that it aims to reach?''<br />
<br />
''To what extent are our readers satisfied with GenderIT.org website and content?''<br />
<br />
We consider that it is relevant to feature this information in this section since it will give writers a better idea of the kind of use our readership and writers are making of the website content, and what they like the most, therefore orientate the materials produced during coverage.<br />
<br />
The evaluation data was collected through a readership survey, a survey and interviews with GenderIT.org writers, and an analysis of the website statistics since 2010 to date.<br />
<br />
''Some relevant highlights from the readership survey [1]:''<br />
<br />
* Type of content: In-depth articles were pointed out as extremely useful, and about a quarter of all respondents ranked feminist talks as extremely important.<br />
<br />
* Type of content format: Half of respondents said that they prefer all the three formats named (audio, text, video). Among the remainder, text was the clear favourite.<br />
<br />
* What do readers get from GenderIT.org: Majority of respondents agreed and agreed strongly that when they read GenderIT.org I feel more informed on topics. <br />
<br />
* Majority of respondents disagreed with the affirmation that when they read GenderIT.org they find information similar to what they can get in other websites. <br />
<br />
* Majority of respondents agreed and agreed strongly with the affirmation that when they read GenderIT.org they get an alternative perspective on the issues.<br />
<br />
<br />
''Some relevant highlights from the writers' survey and interviews [2]:''<br />
<br />
* In terms of events coverage, all those who had covered events spoke of the experience as exhilirating if exhausting. There were no suggestions on improving how things are run during the events themselves. <br />
<br />
* It is clear that the events are significant in building the GenderIT.org 'family', making people feel connected and supported.<br />
<br />
* The articles coming from an event are staggered to maintain interest.<br />
<br />
* GenderIT.org needs more and better quality audio for the use in community radio stations.<br />
<br />
<br />
''References:''<br />
<br />
[1] In mid-2014 GenderIT.org disseminated an online questionnaire, requesting that all users of GenderIT.org respond. By the closing date, a total of 162 people had submitted a full questionnaire response to GenderIT.org. <br />
<br />
[2] The writers survey was conducted in July 2014, with a pool of around 100 former and current contributors to GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=552Secure online communications2015-05-29T13:05:53Z<p>Tarryn: /* Virus protection */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
=='''Online data storage and sharing'''==<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members '''MUST''' use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
<br />
'''What should NOT be stored in APC OwnCloud'''<br />
<br />
APC's OwnCloud instance is '''NOT''' encrypted. Team members '''MUST NOT''' use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
<br />
'''Collaboration with external partners'''<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
<br />
'''Shared calendars'''<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
'''OwnCloud and contact synchronisation'''<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
'''Collaborative document editing'''<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
<br />
Riseup's Etherpad: https://pad.riseup.net<br />
<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
<br />
''OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.''<br />
<br />
<br />
'''Instant messaging and voice'''<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows <br />
use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
'''Using wifi'''<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
=='''Backing up data'''==<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
=='''Virus protection'''==<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2. GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=551Secure online communications2015-05-29T13:04:08Z<p>Tarryn: /* Virus protection */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
=='''Online data storage and sharing'''==<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members '''MUST''' use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
<br />
'''What should NOT be stored in APC OwnCloud'''<br />
<br />
APC's OwnCloud instance is '''NOT''' encrypted. Team members '''MUST NOT''' use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
<br />
'''Collaboration with external partners'''<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
<br />
'''Shared calendars'''<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
'''OwnCloud and contact synchronisation'''<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
'''Collaborative document editing'''<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
<br />
Riseup's Etherpad: https://pad.riseup.net<br />
<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
<br />
''OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.''<br />
<br />
<br />
'''Instant messaging and voice'''<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows <br />
use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
'''Using wifi'''<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
=='''Backing up data'''==<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
=='''Virus protection'''==<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2. GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=550Secure online communications2015-05-29T13:02:51Z<p>Tarryn: /* Backing up data */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
=='''Online data storage and sharing'''==<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members '''MUST''' use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
<br />
'''What should NOT be stored in APC OwnCloud'''<br />
<br />
APC's OwnCloud instance is '''NOT''' encrypted. Team members '''MUST NOT''' use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
<br />
'''Collaboration with external partners'''<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
<br />
'''Shared calendars'''<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
'''OwnCloud and contact synchronisation'''<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
'''Collaborative document editing'''<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
<br />
Riseup's Etherpad: https://pad.riseup.net<br />
<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
<br />
''OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.''<br />
<br />
<br />
'''Instant messaging and voice'''<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows <br />
use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
'''Using wifi'''<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
=='''Backing up data'''==<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=549Secure online communications2015-05-29T13:02:04Z<p>Tarryn: /* Online data storage and sharing */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
=='''Online data storage and sharing'''==<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members '''MUST''' use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
<br />
'''What should NOT be stored in APC OwnCloud'''<br />
<br />
APC's OwnCloud instance is '''NOT''' encrypted. Team members '''MUST NOT''' use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
<br />
'''Collaboration with external partners'''<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
<br />
'''Shared calendars'''<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
'''OwnCloud and contact synchronisation'''<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
'''Collaborative document editing'''<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
<br />
Riseup's Etherpad: https://pad.riseup.net<br />
<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
<br />
''OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.''<br />
<br />
<br />
'''Instant messaging and voice'''<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows <br />
use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
'''Using wifi'''<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=548Secure online communications2015-05-29T12:57:21Z<p>Tarryn: /* Online data storage and sharing */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
=='''Online data storage and sharing'''==<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=547Secure online communications2015-05-29T12:56:58Z<p>Tarryn: /* APC Security Policy */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
=='''Email and email list communication'''==<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=546Secure online communications2015-05-29T12:53:15Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=545Secure online communications2015-05-29T12:52:41Z<p>Tarryn: /* APC Security Policy */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
<br />
'''General rules for using encrypted lists'''<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=544Secure online communications2015-05-29T12:48:46Z<p>Tarryn: /* APC Security Policy */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=543Secure online communications2015-05-29T12:48:17Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=542Secure online communications2015-05-29T12:47:44Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
='''Online data storage and sharing'''=<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
='''Backing up data'''=<br />
<br />
'''General'''<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
'''Encrypting back-up data'''<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
'''Using cloud storage'''<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
'''Data on external devices'''<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
='''Virus protection'''=<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
'''Malicious Scripts and Web Browsers'''<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
='''Dealing with sensitive data'''=<br />
<br />
'''Collecting sensitive data'''<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
'''Secure data handling and sharing'''<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
='''Application choice'''=<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
'''Email client'''<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
'''Web browser'''<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
'''Office suite'''<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
='''Instant messaging, audio and video conferencing'''=<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=541Secure online communications2015-05-29T12:43:06Z<p>Tarryn: /* APC Security Policy */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
<br />
'''Encrypted email communication'''<br />
<br />
While it is not expected that staff will encrypt all communications, they '''MUST''' be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
<br />
'''Mailing lists'''<br />
<br />
Each time a new person joins an APC mailing list, they '''MUST''' be announced to the list. Footers of all APC mailing lists '''MUST''' include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
<br />
'''Encrypted mailing lists'''<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
Online data storage and sharing<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
Backing up data<br />
<br />
General<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
Encrypting back-up data<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
Using cloud storage<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
Data on external devices<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
Virus protection<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
Malicious Scripts and Web Browsers<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
Dealing with sensitive data<br />
<br />
Collecting sensitive data<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
Secure data handling and sharing<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
Application choice<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
Email client<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
Web browser<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
Office suite<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
Instant messaging, audio and video conferencing<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=540Secure online communications2015-05-29T12:39:37Z<p>Tarryn: /* APC Security Policy */</p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
'''Email and email list communication'''<br />
<br />
'''Email client security settings'''<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
'''General email communication'''<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you '''MUST''' state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others '''MUST NOT''' be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
Encrypted email communication<br />
<br />
While it is not expected that staff will encrypt all communications, they MUST be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
Mailing lists<br />
<br />
Each time a new person joins an APC mailing list, they MUST be announced to the list. Footers of all APC mailing lists MUST include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
Encrypted mailing lists<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
Online data storage and sharing<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
Backing up data<br />
<br />
General<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
Encrypting back-up data<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
Using cloud storage<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
Data on external devices<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
Virus protection<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
Malicious Scripts and Web Browsers<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
Dealing with sensitive data<br />
<br />
Collecting sensitive data<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
Secure data handling and sharing<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
Application choice<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
Email client<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
Web browser<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
Office suite<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
Instant messaging, audio and video conferencing<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=539Secure online communications2015-05-29T12:38:06Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
='''Executive Summary'''=<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
<br />
='''Purpose'''=<br />
<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
='''Scope'''=<br />
<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
='''Perspective users of the policy'''=<br />
<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
='''APC Security Policy'''=<br />
<br />
Email and email list communication<br />
<br />
Email client security settings<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
General email communication<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you MUST state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others MUST NOT be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
Encrypted email communication<br />
<br />
While it is not expected that staff will encrypt all communications, they MUST be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
Mailing lists<br />
<br />
Each time a new person joins an APC mailing list, they MUST be announced to the list. Footers of all APC mailing lists MUST include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
Encrypted mailing lists<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
Online data storage and sharing<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
Backing up data<br />
<br />
General<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
Encrypting back-up data<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
Using cloud storage<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
Data on external devices<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
Virus protection<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
Malicious Scripts and Web Browsers<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
Dealing with sensitive data<br />
<br />
Collecting sensitive data<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
Secure data handling and sharing<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
Application choice<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
Email client<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
Web browser<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
Office suite<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
Instant messaging, audio and video conferencing<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=538Secure online communications2015-05-29T12:23:25Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
'''Executive Summary'''<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.<br />
<br />
<br />
Purpose<br />
This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.<br />
<br />
Scope<br />
This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.<br />
<br />
<br />
Perspective users of the policy<br />
APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.<br />
<br />
APC Security Policy<br />
<br />
Email and email list communication<br />
<br />
Email client security settings<br />
<br />
For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server.<br />
<br />
The following principles apply to securely communicating over email:<br />
<br />
General email communication<br />
<br />
APC staff follows this policy for exchanging email communication:<br />
<br />
* Do not open email and attachments from people you do not trust.<br />
* Use plaintext rather than html, when practical.<br />
* Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.<br />
* Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.<br />
* If you wish for your message to stay strictly internal, you MUST state clearly that it is internal in the body and the subject line of the message.<br />
* Information that is potentially compromising for you or others MUST NOT be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.<br />
<br />
Encrypted email communication<br />
<br />
While it is not expected that staff will encrypt all communications, they MUST be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.<br />
<br />
* Not all emails exchanged by the team need to be encrypted.<br />
* All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.<br />
* All replies to and forwards of encrypted email messages should also be encrypted.<br />
* The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.<br />
* Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.<br />
* If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.<br />
* Team members sign messages when it is important that trust be established.<br />
* Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).<br />
* The most sensitive information should be inserted in email body, not the attachments.<br />
<br />
Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:<br />
<br />
* The legality of encrypted communication by individuals<br />
* How encrypted communication is being prosecuted.<br />
<br />
Mailing lists<br />
<br />
Each time a new person joins an APC mailing list, they MUST be announced to the list. Footers of all APC mailing lists MUST include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list.<br />
While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.<br />
<br />
Encrypted mailing lists<br />
<br />
Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:<br />
<br />
* It is certain that all users of the list will be able to use PGP encryption.<br />
* None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.<br />
<br />
''APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).''<br />
<br />
General rules for using encrypted lists<br />
<br />
When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.<br />
<br />
If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!<br />
<br />
Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.<br />
<br />
Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.<br />
<br />
An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.<br />
<br />
When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.<br />
<br />
Online data storage and sharing<br />
<br />
Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.<br />
<br />
What should NOT be stored in APC OwnCloud<br />
<br />
APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).<br />
<br />
Collaboration with external partners<br />
<br />
Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended.<br />
Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.<br />
<br />
Shared calendars<br />
<br />
APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.<br />
<br />
OwnCloud and contact synchronisation<br />
APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.<br />
<br />
<br />
Collaborative document editing<br />
<br />
Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.<br />
Riseup's Etherpad: https://pad.riseup.net<br />
MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org<br />
<br />
Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad.<br />
Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.<br />
<br />
OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.<br />
<br />
Instant messaging and voice<br />
<br />
For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers). <br />
<br />
Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.<br />
<br />
Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication.<br />
always use jabber or SIP protocols (on Jitsi or other clients) when possible.<br />
Inform your communication partners about the advantages of migrating to secure open protocols and applications.<br />
If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!<br />
<br />
To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.<br />
<br />
<br />
Using wifi<br />
<br />
Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:<br />
<br />
* Never connect to anonymous open networks.<br />
* Connect only to wifi networks that you trust.<br />
* Password protect your home or office wifi network.<br />
* Use WPA2 encryption (strongest) for your home or office wifi network.<br />
* Disable WPA/WPA2 wireless access points.<br />
<br />
Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.<br />
<br />
Backing up data<br />
<br />
General<br />
<br />
According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.<br />
<br />
Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.<br />
<br />
Encrypting back-up data<br />
<br />
It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.<br />
<br />
<br />
Using cloud storage<br />
<br />
Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.<br />
<br />
<br />
Data on external devices<br />
<br />
For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection.<br />
Transporting sensitive data in hostile environments<br />
When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:<br />
<br />
* Hide such data on your portable device in a secret encrypted drive1, or<br />
* Hide such data inside another, seemingly innocent type of data using steganography. techniques<br />
<br />
<br />
Virus protection<br />
<br />
Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat.<br />
<br />
It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2.<br />
<br />
GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).<br />
<br />
<br />
Malicious Scripts and Web Browsers<br />
<br />
It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.<br />
<br />
Recommended extensions for Firefox and Chrome browsers are:<br />
<br />
Firefox: NoScript, BrowserProtect, BetterPrivacy1<br />
Chrome: NotScripts2.<br />
<br />
Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.<br />
<br />
<br />
Dealing with sensitive data<br />
<br />
Collecting sensitive data<br />
<br />
For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.<br />
<br />
Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.<br />
<br />
When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:<br />
<br />
* No one besides selected team members and the APC system administrator has access to the collected data.<br />
* Survey results are deleted from LimeSurvey database as soon as they are processed.<br />
<br />
<br />
Secure data handling and sharing<br />
<br />
Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).<br />
<br />
To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.<br />
<br />
<br />
Application choice<br />
<br />
Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.<br />
<br />
APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.<br />
<br />
Email client<br />
<br />
One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.<br />
<br />
Web browser<br />
<br />
Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.<br />
<br />
Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.<br />
<br />
Office suite<br />
<br />
Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.<br />
<br />
<br />
Instant messaging, audio and video conferencing<br />
<br />
Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details). <br />
<br />
<br />
Anti-virus, anti-spyware and back-up applications<br />
<br />
For recommendations on application choice, see Virus protection and Backing up data sections.<br />
<br />
<br />
Other software<br />
<br />
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.<br />
<br />
<br />
Document sharing standards<br />
<br />
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.<br />
<br />
The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.<br />
<br />
<br />
Passwords<br />
<br />
[Basic information and why you shouldn't use the same password for everything]<br />
<br />
If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:<br />
<br />
* Carry passphrases encrypted on a portable device, between devices<br />
* Store passwords securely in an encrypted format<br />
* Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images<br />
<br />
<br />
Web browser password managers<br />
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.<br />
<br />
Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1.<br />
Secure web browsing<br />
Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.<br />
<br />
Team members MUST take the following measures (depending on the web browser they use):<br />
<br />
* Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2<br />
* Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).<br />
* For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.<br />
<br />
When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.<br />
<br />
<br />
Online privacy<br />
<br />
Basic privacy measures when browsing online<br />
<br />
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:<br />
<br />
* Firefox: BetterPrivacy, Ghostery1<br />
* Google Chrome: Ghostery, Disconnect.<br />
<br />
<br />
Anonymous browsing and circumvention<br />
<br />
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.<br />
<br />
<br />
Other anonymous communications<br />
<br />
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.<br />
<br />
<br />
Generating and sharing images, video, audio and digital stories<br />
<br />
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:<br />
<br />
Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.<br />
<br />
Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.<br />
<br />
If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.<br />
<br />
<br />
Storing A/V material and images<br />
<br />
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.<br />
<br />
<br />
Sharing A/V material and images<br />
<br />
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.<br />
<br />
<br />
Phones and Other Portable Devices<br />
<br />
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.<br />
<br />
<br />
Threats Resulting from Social Engineering Activities<br />
<br />
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.<br />
<br />
If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.<br />
<br />
APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.<br />
<br />
<br />
Managing Organisational Infrastructure<br />
<br />
The following principles apply to management of organisational infrastructure:<br />
<br />
General<br />
<br />
* Administrative passwords to all APC mailing lists will be changed twice a year.<br />
* Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.<br />
* Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).<br />
* Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.<br />
<br />
<br />
Staff exit management<br />
<br />
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.<br />
** APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems. <br />
** The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group. <br />
* When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.<br />
<br />
<br />
Agreement with organisational partners on sensitive information<br />
<br />
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:<br />
<br />
* List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.<br />
* Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).<br />
<br />
<br />
Activity-specific security policies<br />
<br />
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:<br />
<br />
* Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).<br />
* Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).<br />
* A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).<br />
* Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.<br />
* Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).<br />
<br />
<br />
Online Databases and Access to Servers<br />
<br />
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:<br />
<br />
* The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.<br />
* Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.<br />
* All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.<br />
<br />
Only SFTP and SSH protocols are permitted for direct access to APC servers.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Reference_guide&diff=491Reference guide2015-05-22T08:11:48Z<p>Tarryn: </p>
<hr />
<div>[[File:style.jpg|thumb|200px]]<br />
APC uses an adapted version of the American Psychological Association (APA) style of referencing. The key difference is APC's use of footnotes rather than in-text citation of author and date. We take into consideration the impracticality of scrolling backwards and forwards to the bibliography. Footnotes are better suited to documents that are likely to be read on a digital device. Please take into account the following recommendations when writing and editing for APC.<br />
<br />
<br />
'''APC guide to reference listing'''<br />
<br />
Please note that the superscript number used to indicate the placement of a footnote comes after any punctuation marks, including commas, full stops and quotation marks: <br />
In 2014 the group launched a new website.3<br />
“We have also launched a new website,”3 she added.<br />
<br />
The only exception is when the punctuation mark is a dash:<br />
The new website 3 – launched in 2014 – provides a wide range of resources.<br />
<br />
The format for the footnote is the same format used for a reference list in APA style, with a few minor modifications, which means you can use free online tools like www.bibme.org/apa-bibliography to make referencing faster and simpler. <br />
<br />
However, since all the necessary information is provided in the footnotes, there is no need to compile a separate list of references.<br />
<br />
<br />
'''Special notes on URLs'''<br />
<br />
URLs (links) should be hyperlinked and the http:// and https:// notation should be removed. If a link is available with a secure connection (https), always use that as the target of the hyperlink (e.g. www.apc.org). In the case of print publications, where hyperlinking is not possible, please always <br />
remove http:// but leave https:// so that readers are aware that a secure connection to the link is possible.<br />
<br />
URL links should also not contain tracking tokens, which are often present if the URL has been copied from an online dissemination platform like Twitter or ShareThis!. As an example, extraneous tracking information in the URL sometimes follows “html” and often begin with “?utm_”. Delete it <br />
and then test to make sure the URL still works without it.<br />
<br />
<br />
'''Guidelines and examples by reference type'''<br />
<br />
'''Books and reports'''<br />
<br />
Author, A. (year). Title of Work. Location: Publisher. URL (if the publication is available online)<br />
Gurumurthy, A. (2004). Gender and ICTs: Overview Report . Brighton: BRIDGE. www.bridge.ids.ac.uk/go/bridge-publications/cutting-edge-packs/gender-and-icts/gender-and-icts&id=52909&type=Document&langid=1<br />
WomenAid Collective. (2008). CEDAW and Accountability to Gender Equality in Nigeria: A Shadow Report. Enugu: WACOL.<br />
<br />
'''More than one author'''<br />
<br />
Fascendini, F., & Fialová, K. (2011). Voices from Digital Spaces: Technology-related violence against women. Johannesburg: APC WNSP. www.genderit.org/node/3539<br />
<br />
'''Chapter in a book'''<br />
<br />
Author, A. (Year of publication). Title of chapter. In A. Editor (Ed.), Title of book. Location: Publisher. URL<br />
Moawad, N. (2013). Dot feminist resistance: Online disobedience, sabotage and militancy. In A. Finlay (Ed.), Global Information Society Watch 2013. johannesburg: APC and Hivos. www.giswatch.org/en/womens-rights-gender/dot-feminist-resistance-online-disobedience-sabotage-and-militancy <br />
<br />
'''Government documents'''<br />
<br />
Department/Agency. (year). Title . URL or Location: Publisher.<br />
Department of Communications. (2013). South Africa Connect: National Broadband Policy. www.doc.gov.za/documents-publications/broadband.html<br />
<br />
'''Journal article'''<br />
<br />
Author, A. (Year). Title of article. Title of Periodical, volume number (issue number), pages (if available). URL (if online)<br />
Coleman, S. (2005). The lonely citizen: Indirect representation in an age of networks. Political Communication, 22(2), 197-214.<br />
Salas, M. (2010). Internet, power and politics: Gender and ICTs in the movement against CAFTA. The Journal of Community Informatics, 6(1). ci-journal.net/index.php/ciej/article/view/530/468<br />
<br />
<br />
'''Newspaper article'''<br />
<br />
Author, A. (Date month year 1 published). Article title. Newspaper Title. URL<br />
Chemaly, S., Friedman, J., & Bates, L. (21 May 2013). An Open Letter to Facebook. Huffington Post. www.huffingtonpost.com/soraya-chemaly/an-open-letter-to-faceboo_1_b_3307394.html<br />
<br />
<br />
'''Presentation, paper, etc.'''<br />
<br />
Author, A. (Year). Title of paper. Description. URL<br />
Defensor-Santiago, M. (2010). The praxis of gender justice in the Philippines: Implications for lawmaking. Paper presented at the Parliamentarians for Global Action (PGA) Panel on Gender Justice and Women’s Rights, Istanbul, Turkey, 24 October. miriam.com.ph/newsblog/?p=489<br />
<br />
<br />
'''Blog post'''<br />
<br />
Author, A. (Year, date month published). Article title. Name of Blog. URL<br />
Milstein, S. (2013, 24 March). I have a few things to say about Adria. Dogs and Shoes. www.dogsandshoes.com/2013/03/adria.html<br />
<br />
<br />
'''Web page'''<br />
<br />
If you are citing information about an organisation, programme, campaign, etc. from a website, you can simply provide the URL.<br />
www.takebackthetech.net/page/about-campaign<br />
<br />
<br />
'''Online video (YouTube, Vimeo, etc.)'''<br />
<br />
If the video is mentioned in the text, simply provide the URL.<br />
<br />
<br />
'''Personal communication (interview, email, etc.)'''<br />
<br />
Brief description, Date. Interview with APC Executive Director Anriette Esterhuysen, 21 March 2014.<br />
<br />
<br />
'''If the same reference is cited more than once...'''<br />
<br />
If the reference is the same as the one cited right before it: Ibid.<br />
If the reference is the same as one cited earlier: Author, A. (Year or Year, date month). Op. cit.<br />
<br />
'''[http://www.apc.org/en/system/files/APC_ReferenceGuide_2-0.pdf Read or download the Reference guide in pdf format]'''</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Secure_online_communications&diff=490Secure online communications2015-05-22T07:55:25Z<p>Tarryn: </p>
<hr />
<div>[[File:security.jpg|thumb|200px]]<br />
<br />
The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.<br />
<br />
Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.<br />
<br />
'''Executive Summary'''<br />
<br />
'''DOs'''<br />
<br />
*Configure your email client to communicate with the server via secure SSL/TSL connection.<br />
*Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.<br />
*Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.<br />
*Follow APC's guidelines for mailing lists and encrypted mailing lists.<br />
*Use OwnCloud for cloud data storage and data sharing<br />
*Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)<br />
*Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.<br />
*Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team. <br />
*Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.<br />
*Use and periodically update anti-virus software on your computer.<br />
*Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.<br />
*Install LibreOffice or other office package that supports open format standards1.<br />
*Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices). <br />
*Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces. <br />
*Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices. <br />
*Follow APC’s policy for work relating to A/V recordings and digital stories. <br />
*Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.<br />
*Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices. <br />
<br />
'''DON’Ts'''<br />
<br />
*Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.<br />
*Use Skype for communication within APC team, unless it is absolutely necessary.<br />
*Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.<br />
*Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.<br />
*Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.<br />
<br />
'''CONSIDER'''<br />
<br />
*Finding out whether or not the use of encryption in internet communication is legal in your country of residence.<br />
*Educating yourself on issues of privacy related to communication in encrypted lists.<br />
*Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.<br />
*Using an open source password management software such as Keepass if you can not remember all your passphrases.<br />
*Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted. <br />
*Prioritising free and open source software whenever possible.<br />
*Connecting to web content via https connection whenever possible. <br />
*Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=375How to work with images2015-05-20T12:39:42Z<p>Tarryn: /* Technical tips for using the picture in GenderIT.org */</p>
<hr />
<div>[[File:photo.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
If you're looking for a fairly simple how-to for digital photography, have a look at [http://photo.net/equipment/digital/basics/ this]. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available [https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People here]. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event can be found [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
== '''Technical tools''' ==<br />
<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An [http://www.gimp.org/ open source alternative] to Photoshop is available, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the [https://guardianproject.info/apps/obscuracam/ ObscuraCam app] to protect the identity of those whose pictures you take. This free app removes location and other identifying material from the photos.<br />
<br />
== '''Methods''' ==<br />
<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see [http://www.hongkiat.com/blog/force-perspective-photos/ HongKiat]).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
== '''Technical tips for using the picture in GenderIT.org''' ==<br />
<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using an [http://www.webresizer.com/resizer/ online tool] You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=374How to work with images2015-05-20T12:38:44Z<p>Tarryn: /* Checklist */</p>
<hr />
<div>[[File:photo.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
If you're looking for a fairly simple how-to for digital photography, have a look at [http://photo.net/equipment/digital/basics/ this]. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available [https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People here]. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event can be found [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
== '''Technical tools''' ==<br />
<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An [http://www.gimp.org/ open source alternative] to Photoshop is available, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the [https://guardianproject.info/apps/obscuracam/ ObscuraCam app] to protect the identity of those whose pictures you take. This free app removes location and other identifying material from the photos.<br />
<br />
== '''Methods''' ==<br />
<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see [http://www.hongkiat.com/blog/force-perspective-photos/ HongKiat]).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
== '''Technical tips for using the picture in GenderIT.org''' ==<br />
<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=373How to work with images2015-05-20T12:37:00Z<p>Tarryn: /* Technical tools */</p>
<hr />
<div>[[File:photo.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
If you're looking for a fairly simple how-to for digital photography, have a look at [http://photo.net/equipment/digital/basics/ this]. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available [https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People here]. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event can be found [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
== '''Technical tools''' ==<br />
<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An [http://www.gimp.org/ open source alternative] to Photoshop is available, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the [https://guardianproject.info/apps/obscuracam/ ObscuraCam app] to protect the identity of those whose pictures you take. This free app removes location and other identifying material from the photos.<br />
<br />
== '''Methods''' ==<br />
<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
<br />
<br />
== '''Technical tips for using the picture in GenderIT.org''' ==<br />
<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=372How to work with images2015-05-20T12:36:15Z<p>Tarryn: /* Technical tools */</p>
<hr />
<div>[[File:photo.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
If you're looking for a fairly simple how-to for digital photography, have a look at [http://photo.net/equipment/digital/basics/ this]. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available [https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People here]. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event can be found [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
== '''Technical tools''' ==<br />
<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An open source alternative to Photoshop is available at http://www.gimp.org/, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the [https://guardianproject.info/apps/obscuracam/ ObscuraCam app] to protect the identity of those whose pictures you take. This free app removes location and other identifying material from the photos.<br />
<br />
== '''Methods''' ==<br />
<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
<br />
<br />
== '''Technical tips for using the picture in GenderIT.org''' ==<br />
<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=371How to work with images2015-05-20T12:35:07Z<p>Tarryn: /* Overview */</p>
<hr />
<div>[[File:photo.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
If you're looking for a fairly simple how-to for digital photography, have a look at [http://photo.net/equipment/digital/basics/ this]. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available [https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People here]. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event can be found [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
== '''Technical tools''' ==<br />
<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An open source alternative to Photoshop is available at http://www.gimp.org/, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the ObscuraCam app to protect the identity of those whose pictures you take. This app removes location and other identifying material from the photos. Available free at https://guardianproject.info/apps/obscuracam/.<br />
<br />
<br />
<br />
== '''Methods''' ==<br />
<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
<br />
<br />
== '''Technical tips for using the picture in GenderIT.org''' ==<br />
<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_deal_with_vulnerable_interviewees&diff=370How to deal with vulnerable interviewees2015-05-20T12:29:53Z<p>Tarryn: /* Overview */</p>
<hr />
<div>[[File:aid.jpg|thumb|200px]]<br />
== '''Introduction''' ==<br />
<br />
<br />
This guide contains resources and important considerations to be put in place when conducting interviews, particularly with survivors of violence and sexual harassment.<br />
<br />
At GenderIT.org, our priorities include giving space to voices from the global South and to the voices of marginalised communities, including victims of violence and sexual harassment. This means an awareness of both our own power and the power of others – including ways in which our actions can enhance or detract from the power of the person whose voice is being heard.<br />
<br />
This means an awareness of the vulnerabilities of those who have experienced sexual or other violence or harassment – giving them the power to decide how anonymous they wish to be, for example, allowing them to choose how to refer to themselves (as a survivor, as a victim etc.), giving them ample space and time to tell, write or edit their story, and time for them to be happy about how it will be shared (if it is to be shared).<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
A key resource here is the [http://blog.witness.org/2013/08/new-how-to-guide-for-interviewing-survivors-of-sexual-and-gender-based-violence/ Witness guide] to interviewing survivors of sexual assault. Violence survivors include those in positions of power and authority and if you are speaking to them about their experience of violence, particularly sexual violence or assault, it is still important to follow these principles.<br />
<br />
Another important document is the [http://www.who.int/gender/documents/violence/who_fch_gwh_01.1/en/ WHO guide] on research on domestic violence available in English, French and Spanish.<br />
<br />
== '''WHO Guiding Principles for Domestic Violence Research''' ==<br />
<br />
<br />
a. The safety of respondents and the research team is paramount, and should guide all project decisions.<br />
<br />
b. Prevalence studies need to be methodologically sound and to build upon current re- search experience about how to minimize the under-reporting of violence.<br />
<br />
c. Protecting confidentiality is essential to ensure both women’s safety and data quality.<br />
<br />
d. All research team members should be care fully selected and receive specialized training and on-going support.<br />
<br />
e. The study design must include actions aimed at reducing any possible distress caused to the participants by the research.<br />
<br />
f. Fieldworkers should be trained to refer women requesting assistance to available local services and sources of support. Where few resources exist, it may be necessary for the study to create short-term support mechanisms.<br />
<br />
g. Researchers and donors have an ethical obligation to help ensure that their findings are properly interpreted and used to advance policy and intervention development.<br />
<br />
h. Violence questions should only be incorporated into surveys designed for other purposes when ethical and methodological requirements can be met.<br />
<br />
<br />
'''Drawing from these principles''', Athar, Rima "VI. Ethics in the Research Process" In: Research Design for “From impunity to justice: Exploring corporate and legal remedies for technology-related violence against women” research (APC, November 2013) '''drew up these guidelines''':<br />
<br />
<br />
<br />
== '''Obtaining Informed Consent''' ==<br />
<br />
<br />
* Interviewees are treated as human beings with agency-capable of determining and deciding what is best for them and not mere subjects or as means to extract data.<br />
* As with respect to their self-determination, a.) the nature of the interview, b.) any risks and benefits which might result from their participation, c.) their rights to refuse to participate or to end their participation without penalty, and d.) the means by which they can contact the writer shall be first explained to potential interviews in language they understand. <br />
* It is imperative to stress that consent is voluntary, and as such can be withdrawn at any time prior to publication. Writers must ensure the possibility for interviewees to withdraw their consent (at minimum by providing a way to contact the writer)<br />
* Only those who shall express willingness shall be interviewed. <br />
<br />
<br />
'''Providing support'''<br />
<br />
Interviewees stand to face positive as well as negative effects from their involvement/participation. The writer shall ensure that interviewees not only benefit from the publication of the interview but also from the actual conduct of the interview itself. A good interviewer pays careful attention to the interaction with interviewees as this is critical in remaining aware of potential hierarchies and associated power dynamics that may arise. <br />
<br />
<br />
<br />
== '''During the interview''' ==<br />
<br />
<br />
Use sensitive and appropriate methods. The writer shall be in close collaboration with the interviewee and is enjoined not just have an instrumental but genuine relationship with them, recognising that there is no ‘detachment’ from the interviewee’s problems. Treating all people as human beings will entail a degree of emotional involvement and create bond between the interviewer and respondent that can potentially empower both, without creating or fostering dependence. <br />
<br />
It entails listening to the interviewee with sensitivity. Those who have experienced violation and trauma may react poorly to questions around their experiences, and the writer should be able to recognize this and provide an appropriate response. <br />
<br />
During the course of the interview, the interviewer should introduce any section enquiring about violence carefully, forewarning the respondent about the nature of the questions and giving her the opportunity to either stop the interview, or not to answer these questions.<br />
<br />
Collaboration means also that the interviewer is willing to self-disclose- to share her/his experience if the interviewee requests.<br />
<br />
At all times refrain from any conduct or statement that has the effect or impact of blaming the woman for the violence she has experienced. <br />
<br />
<br />
<br />
== '''Boundaries''' ==<br />
<br />
<br />
Writers shall take steps to address other needs of the interviewee such as counselling, psycho-social and emotional support through referrals to local and culturally appropriate resources. However, be explicit about limitations and do not make promises that cannot be fulfilled.<br />
Interviewers should not take on a role as counsellor.<br />
<br />
Interviewers should be open to assisting the respondent if asked, within the limits of these protocols, but should not tell her what to do or to take on the personal burden of trying to “save her”. <br />
<br />
Variations in individual and cultural understandings of what constitutes violence against women (including rape, marital rape, assault, harassment, etc.), are to be expected. The writer’s role in working with victims/survivors of violence (as well as all other interviewees) is to bring out their own understandings of the violence they experienced (or witnessed or participated in), through questions and sharing of perspectives that provide room for conversation around different views; rather than try to stick with a pre-determined definition/understanding of what constitutes violence, rape, harassment, assault, etc. <br />
<br />
<br />
<br />
== '''Providing referrals to social support services''' ==<br />
<br />
<br />
Prior to conducting the interview, research potential providers of support, which may include existing health, legal and social services and educational resources in the community, and less formal providers of support (including community representatives, religious leaders, traditional healers and women’s organizations).<br />
<br />
A list of such resources should be made available to the interviewee, but only provided if and when asked for. Such a list should be framed as resources for “women’s heath” broadly, to miminize risks to interviewees that may result from possessing such a list. <br />
<br />
<br />
<br />
== '''Ensuring confidentiality''' ==<br />
<br />
<br />
All involved, from the interviewer to the editor, have the duty to assure the women that their identities will be protected, if this has been agreed upon. <br />
Confidentiality means that participants’ cannot be identified by others, so any identifying information (such as location etc) is to be stripped from all materials pertaining to the interview, including photographs and recordings.<br />
Interviewers shall determine what kind of information and details to share, no matter how crucial the women’s revelation.<br />
<br />
<br />
'''Location of interview'''<br />
<br />
Interviews cost the interviewee time and energy. Therefore, they should be carried out in settings that are most convenient for them.<br />
Logistics planning should include consideration of respondent safety. <br />
<br />
Interviews should be conducted in complete privacy. In cases where privacy cannot be ensured, interviews should be rescheduled or relocated. <br />
<br />
<br />
<br />
== '''Recording the interview''' ==<br />
<br />
<br />
Audio-recordings should be made for in-depth interviews with survivors of violence.<br />
<br />
The permission of the respondents should be sought before taping. The name of the respondent should not be included in the audio-recording at any stage. <br />
<br />
Respondents should be informed of who will have access to the tapes and for how long they will be kept. <br />
<br />
1. In this case, only interviewer (& transcriber, if different from the interviewer) will have access to the audio-recording. <br />
<br />
2. The audio-recordings should be kept in encrypted file1on an external hard drive, in a locked cabinet, with limited access. <br />
<br />
3. The audio-recording should be destroyed after publication. <br />
<br />
Extreme caution must be taken to securely transport raw data from locations of interviews to places where data are processed. That applies to all recoding media.<br />
An encryption software must be used during all data storage to ensure security of the data. (2) <br />
<br />
<br />
<br />
== '''Transcribing the interviews''' ==<br />
<br />
<br />
The importance of recording and transcribing the interviews is to ensure that women’s experiences and perspectives are shared in their own words. Relying on the interviewers’ notes/memories may be insufficient to ensure quality of data and its analysis. <br />
<br />
Transcribing the interviews also enables the respondents the option of reviewing the information they have provided if they wish, and choosing which information they consent to share. <br />
<br />
Particular care should be taken to ensure that no one community or individual can be identified.<br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
* Think before you upload your story to the internet and if your security or the security of others could be compromised by others seeing it or not.<br />
<br />
* If you or the interviewee don't want your face shown, or your voice clearly recognisable, you can use tools to help guarantee anonymity (Audacity has tools for audio, ObscuraCam for video).<br />
<br />
* Never use an image of a person without that person's permission, regardless of who owns the image.<br />
<br />
<br />
''(1) Use encryption software (Truecrypt) to ensure security of the file.''<br />
<br />
''(2) Truecrypt is a recommended free open source application that can be used for encrypting data on your computers and portable devices.''</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_deal_with_vulnerable_interviewees&diff=363How to deal with vulnerable interviewees2015-05-20T12:06:59Z<p>Tarryn: </p>
<hr />
<div><br />
== '''Introduction''' ==<br />
<br />
<br />
This guide contains resources and important considerations to be put in place when conducting interviews, particularly with survivors of violence and sexual harassment.<br />
<br />
At GenderIT.org, our priorities include giving space to voices from the global South and to the voices of marginalised communities, including victims of violence and sexual harassment. This means an awareness of both our own power and the power of others – including ways in which our actions can enhance or detract from the power of the person whose voice is being heard.<br />
<br />
This means an awareness of the vulnerabilities of those who have experienced sexual or other violence or harassment – giving them the power to decide how anonymous they wish to be, for example, allowing them to choose how to refer to themselves (as a survivor, as a victim etc.), giving them ample space and time to tell, write or edit their story, and time for them to be happy about how it will be shared (if it is to be shared).<br />
<br />
<br />
== '''Overview''' ==<br />
<br />
<br />
A key resource here is the Witness guide to interviewing surivors of sexual assault<br />
(http://blog.witness.org/2013/08/new-how-to-guide-for-interviewing-survivors-of-sexual-and-gender-based-violence/). Violence survivors include those in positions of power and authority and if you are speaking to them about their experience of violence, particularly sexual violence or assault, it is still important to follow these principles.<br />
<br />
Another important document is the WHO guide on research on domestic violence (http://www.who.int/gender/documents/violence/who_fch_gwh_01.1/en/) available in English, French and Spanish.<br />
<br />
<br />
<br />
== '''WHO Guiding Principles for Domestic Violence Research''' ==<br />
<br />
<br />
a. The safety of respondents and the research team is paramount, and should guide all project decisions.<br />
<br />
b. Prevalence studies need to be methodologically sound and to build upon current re- search experience about how to minimize the under-reporting of violence.<br />
<br />
c. Protecting confidentiality is essential to ensure both women’s safety and data quality.<br />
<br />
d. All research team members should be care fully selected and receive specialized training and on-going support.<br />
<br />
e. The study design must include actions aimed at reducing any possible distress caused to the participants by the research.<br />
<br />
f. Fieldworkers should be trained to refer women requesting assistance to available local services and sources of support. Where few resources exist, it may be necessary for the study to create short-term support mechanisms.<br />
<br />
g. Researchers and donors have an ethical obligation to help ensure that their findings are properly interpreted and used to advance policy and intervention development.<br />
<br />
h. Violence questions should only be incorporated into surveys designed for other purposes when ethical and methodological requirements can be met.<br />
<br />
<br />
'''Drawing from these principles''', Athar, Rima "VI. Ethics in the Research Process" In: Research Design for “From impunity to justice: Exploring corporate and legal remedies for technology-related violence against women” research (APC, November 2013) '''drew up these guidelines''':<br />
<br />
<br />
<br />
== '''Obtaining Informed Consent''' ==<br />
<br />
<br />
* Interviewees are treated as human beings with agency-capable of determining and deciding what is best for them and not mere subjects or as means to extract data.<br />
* As with respect to their self-determination, a.) the nature of the interview, b.) any risks and benefits which might result from their participation, c.) their rights to refuse to participate or to end their participation without penalty, and d.) the means by which they can contact the writer shall be first explained to potential interviews in language they understand. <br />
* It is imperative to stress that consent is voluntary, and as such can be withdrawn at any time prior to publication. Writers must ensure the possibility for interviewees to withdraw their consent (at minimum by providing a way to contact the writer)<br />
* Only those who shall express willingness shall be interviewed. <br />
<br />
<br />
'''Providing support'''<br />
<br />
Interviewees stand to face positive as well as negative effects from their involvement/participation. The writer shall ensure that interviewees not only benefit from the publication of the interview but also from the actual conduct of the interview itself. A good interviewer pays careful attention to the interaction with interviewees as this is critical in remaining aware of potential hierarchies and associated power dynamics that may arise. <br />
<br />
<br />
<br />
== '''During the interview''' ==<br />
<br />
<br />
Use sensitive and appropriate methods. The writer shall be in close collaboration with the interviewee and is enjoined not just have an instrumental but genuine relationship with them, recognising that there is no ‘detachment’ from the interviewee’s problems. Treating all people as human beings will entail a degree of emotional involvement and create bond between the interviewer and respondent that can potentially empower both, without creating or fostering dependence. <br />
<br />
It entails listening to the interviewee with sensitivity. Those who have experienced violation and trauma may react poorly to questions around their experiences, and the writer should be able to recognize this and provide an appropriate response. <br />
<br />
During the course of the interview, the interviewer should introduce any section enquiring about violence carefully, forewarning the respondent about the nature of the questions and giving her the opportunity to either stop the interview, or not to answer these questions.<br />
<br />
Collaboration means also that the interviewer is willing to self-disclose- to share her/his experience if the interviewee requests.<br />
<br />
At all times refrain from any conduct or statement that has the effect or impact of blaming the woman for the violence she has experienced. <br />
<br />
<br />
<br />
== '''Boundaries''' ==<br />
<br />
<br />
Writers shall take steps to address other needs of the interviewee such as counselling, psycho-social and emotional support through referrals to local and culturally appropriate resources. However, be explicit about limitations and do not make promises that cannot be fulfilled.<br />
Interviewers should not take on a role as counsellor.<br />
<br />
Interviewers should be open to assisting the respondent if asked, within the limits of these protocols, but should not tell her what to do or to take on the personal burden of trying to “save her”. <br />
<br />
Variations in individual and cultural understandings of what constitutes violence against women (including rape, marital rape, assault, harassment, etc.), are to be expected. The writer’s role in working with victims/survivors of violence (as well as all other interviewees) is to bring out their own understandings of the violence they experienced (or witnessed or participated in), through questions and sharing of perspectives that provide room for conversation around different views; rather than try to stick with a pre-determined definition/understanding of what constitutes violence, rape, harassment, assault, etc. <br />
<br />
<br />
<br />
== '''Providing referrals to social support services''' ==<br />
<br />
<br />
Prior to conducting the interview, research potential providers of support, which may include existing health, legal and social services and educational resources in the community, and less formal providers of support (including community representatives, religious leaders, traditional healers and women’s organizations).<br />
<br />
A list of such resources should be made available to the interviewee, but only provided if and when asked for. Such a list should be framed as resources for “women’s heath” broadly, to miminize risks to interviewees that may result from possessing such a list. <br />
<br />
<br />
<br />
== '''Ensuring confidentiality''' ==<br />
<br />
<br />
All involved, from the interviewer to the editor, have the duty to assure the women that their identities will be protected, if this has been agreed upon. <br />
Confidentiality means that participants’ cannot be identified by others, so any identifying information (such as location etc) is to be stripped from all materials pertaining to the interview, including photographs and recordings.<br />
Interviewers shall determine what kind of information and details to share, no matter how crucial the women’s revelation.<br />
<br />
<br />
'''Location of interview'''<br />
<br />
Interviews cost the interviewee time and energy. Therefore, they should be carried out in settings that are most convenient for them.<br />
Logistics planning should include consideration of respondent safety. <br />
<br />
Interviews should be conducted in complete privacy. In cases where privacy cannot be ensured, interviews should be rescheduled or relocated. <br />
<br />
<br />
<br />
== '''Recording the interview''' ==<br />
<br />
<br />
Audio-recordings should be made for in-depth interviews with survivors of violence.<br />
<br />
The permission of the respondents should be sought before taping. The name of the respondent should not be included in the audio-recording at any stage. <br />
<br />
Respondents should be informed of who will have access to the tapes and for how long they will be kept. <br />
<br />
1. In this case, only interviewer (& transcriber, if different from the interviewer) will have access to the audio-recording. <br />
<br />
2. The audio-recordings should be kept in encrypted file1on an external hard drive, in a locked cabinet, with limited access. <br />
<br />
3. The audio-recording should be destroyed after publication. <br />
<br />
Extreme caution must be taken to securely transport raw data from locations of interviews to places where data are processed. That applies to all recoding media.<br />
An encryption software must be used during all data storage to ensure security of the data. (2) <br />
<br />
<br />
<br />
== '''Transcribing the interviews''' ==<br />
<br />
<br />
The importance of recording and transcribing the interviews is to ensure that women’s experiences and perspectives are shared in their own words. Relying on the interviewers’ notes/memories may be insufficient to ensure quality of data and its analysis. <br />
<br />
Transcribing the interviews also enables the respondents the option of reviewing the information they have provided if they wish, and choosing which information they consent to share. <br />
<br />
Particular care should be taken to ensure that no one community or individual can be identified.<br />
<br />
<br />
<br />
== '''Checklist''' ==<br />
<br />
<br />
* Think before you upload your story to the internet and if your security or the security of others could be compromised by others seeing it or not.<br />
<br />
* If you or the interviewee don't want your face shown, or your voice clearly recognisable, you can use tools to help guarantee anonymity (Audacity has tools for audio, ObscuraCam for video).<br />
<br />
* Never use an image of a person without that person's permission, regardless of who owns the image.<br />
<br />
<br />
''(1) Use encryption software (Truecrypt) to ensure security of the file.''<br />
<br />
''(2) Truecrypt is a recommended free open source application that can be used for encrypting data on your computers and portable devices.''</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_deal_with_vulnerable_interviewees&diff=329How to deal with vulnerable interviewees2015-05-20T11:40:19Z<p>Tarryn: </p>
<hr />
<div>'''Dealing with vulnerable interviewees'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
This guide contains resources and important considerations to be put in place when conducting interviews, particularly with survivors of violence and sexual harassment.<br />
<br />
At GenderIT.org, our priorities include giving space to voices from the global South and to the voices of marginalised communities, including victims of violence and sexual harassment. This means an awareness of both our own power and the power of others – including ways in which our actions can enhance or detract from the power of the person whose voice is being heard.<br />
<br />
This means an awareness of the vulnerabilities of those who have experienced sexual or other violence or harassment – giving them the power to decide how anonymous they wish to be, for example, allowing them to choose how to refer to themselves (as a survivor, as a victim etc.), giving them ample space and time to tell, write or edit their story, and time for them to be happy about how it will be shared (if it is to be shared).<br />
<br />
<br />
'''Overview'''<br />
<br />
A key resource here is the Witness guide to interviewing surivors of sexual assault<br />
(http://blog.witness.org/2013/08/new-how-to-guide-for-interviewing-survivors-of-sexual-and-gender-based-violence/). Violence survivors include those in positions of power and authority and if you are speaking to them about their experience of violence, particularly sexual violence or assault, it is still important to follow these principles.<br />
<br />
Another important document is the WHO guide on research on domestic violence (http://www.who.int/gender/documents/violence/who_fch_gwh_01.1/en/) available in English, French and Spanish.<br />
<br />
<br />
'''WHO Guiding Principles for Domestic Violence Research'''<br />
<br />
a. The safety of respondents and the research team is paramount, and should guide all project decisions.<br />
<br />
b. Prevalence studies need to be methodologically sound and to build upon current re- search experience about how to minimize the under-reporting of violence.<br />
<br />
c. Protecting confidentiality is essential to ensure both women’s safety and data quality.<br />
<br />
d. All research team members should be care fully selected and receive specialized training and on-going support.<br />
<br />
e. The study design must include actions aimed at reducing any possible distress caused to the participants by the research.<br />
<br />
f. Fieldworkers should be trained to refer women requesting assistance to available local services and sources of support. Where few resources exist, it may be necessary for the study to create short-term support mechanisms.<br />
<br />
g. Researchers and donors have an ethical obligation to help ensure that their findings are properly interpreted and used to advance policy and intervention development.<br />
<br />
h. Violence questions should only be incorporated into surveys designed for other purposes when ethical and methodological requirements can be met.<br />
<br />
<br />
'''Drawing from these principles''', Athar, Rima "VI. Ethics in the Research Process" In: Research Design for “From impunity to justice: Exploring corporate and legal remedies for technology-related violence against women” research (APC, November 2013) '''drew up these guidelines''':<br />
<br />
<br />
'''Obtaining Informed Consent'''<br />
<br />
* Interviewees are treated as human beings with agency-capable of determining and deciding what is best for them and not mere subjects or as means to extract data.<br />
* As with respect to their self-determination, a.) the nature of the interview, b.) any risks and benefits which might result from their participation, c.) their rights to refuse to participate or to end their participation without penalty, and d.) the means by which they can contact the writer shall be first explained to potential interviews in language they understand. <br />
* It is imperative to stress that consent is voluntary, and as such can be withdrawn at any time prior to publication. Writers must ensure the possibility for interviewees to withdraw their consent (at minimum by providing a way to contact the writer)<br />
* Only those who shall express willingness shall be interviewed. <br />
<br />
<br />
'''Providing support'''<br />
<br />
Interviewees stand to face positive as well as negative effects from their involvement/participation. The writer shall ensure that interviewees not only benefit from the publication of the interview but also from the actual conduct of the interview itself. A good interviewer pays careful attention to the interaction with interviewees as this is critical in remaining aware of potential hierarchies and associated power dynamics that may arise. <br />
<br />
<br />
'''During the Interview'''<br />
<br />
Use sensitive and appropriate methods. The writer shall be in close collaboration with the interviewee and is enjoined not just have an instrumental but genuine relationship with them, recognising that there is no ‘detachment’ from the interviewee’s problems. Treating all people as human beings will entail a degree of emotional involvement and create bond between the interviewer and respondent that can potentially empower both, without creating or fostering dependence. <br />
<br />
It entails listening to the interviewee with sensitivity. Those who have experienced violation and trauma may react poorly to questions around their experiences, and the writer should be able to recognize this and provide an appropriate response. <br />
<br />
During the course of the interview, the interviewer should introduce any section enquiring about violence carefully, forewarning the respondent about the nature of the questions and giving her the opportunity to either stop the interview, or not to answer these questions.<br />
Collaboration means also that the interviewer is willing to self-disclose- to share her/his experience if the interviewee requests.<br />
At all times refrain from any conduct or statement that has the effect or impact of blaming the woman for the violence she has experienced. <br />
<br />
<br />
'''Boundaries'''<br />
<br />
Writers shall take steps to address other needs of the interviewee such as counselling, psycho-social and emotional support through referrals to local and culturally appropriate resources. However, be explicit about limitations and do not make promises that cannot be fulfilled.<br />
Interviewers should not take on a role as counsellor.<br />
<br />
Interviewers should be open to assisting the respondent if asked, within the limits of these protocols, but should not tell her what to do or to take on the personal burden of trying to “save her”. <br />
<br />
Variations in individual and cultural understandings of what constitutes violence against women (including rape, marital rape, assault, harassment, etc.), are to be expected. The writer’s role in working with victims/survivors of violence (as well as all other interviewees) is to bring out their own understandings of the violence they experienced (or witnessed or participated in), through questions and sharing of perspectives that provide room for conversation around different views; rather than try to stick with a pre-determined definition/understanding of what constitutes violence, rape, harassment, assault, etc. <br />
<br />
<br />
'''Providing referrals to social support services'''<br />
<br />
Prior to conducting the interview, research potential providers of support, which may include existing health, legal and social services and educational resources in the community, and less formal providers of support (including community representatives, religious leaders, traditional healers and women’s organizations).<br />
A list of such resources should be made available to the interviewee, but only provided if and when asked for. Such a list should be framed as resources for “women’s heath” broadly, to miminize risks to interviewees that may result from possessing such a list. <br />
<br />
<br />
'''Ensuring Confidentiality'''<br />
<br />
All involved, from the interviewer to the editor, have the duty to assure the women that their identities will be protected, if this has been agreed upon. <br />
Confidentiality means that participants’ cannot be identified by others, so any identifying information (such as location etc) is to be stripped from all materials pertaining to the interview, including photographs and recordings.<br />
Interviewers shall determine what kind of information and details to share, no matter how crucial the women’s revelation.<br />
<br />
<br />
'''Location of interview'''<br />
<br />
Interviews cost the interviewee time and energy. Therefore, they should be carried out in settings that are most convenient for them.<br />
Logistics planning should include consideration of respondent safety. <br />
Interviews should be conducted in complete privacy. In cases where privacy cannot be ensured, interviews should be rescheduled or relocated. <br />
<br />
<br />
'''Recording the Interview'''<br />
<br />
Audio-recordings should be made for in-depth interviews with survivors of violence.<br />
<br />
The permission of the respondents should be sought before taping. The name of the respondent should not be included in the audio-recording at any stage. <br />
Respondents should be informed of who will have access to the tapes and for how long they will be kept. <br />
<br />
1. In this case, only interviewer (& transcriber, if different from the interviewer) will have access to the audio-recording. <br />
<br />
2. The audio-recordings should be kept in encrypted file1on an external hard drive, in a locked cabinet, with limited access. <br />
<br />
3. The audio-recording should be destroyed after publication. <br />
<br />
Extreme caution must be taken to securely transport raw data from locations of interviews to places where data are processed. That applies to all recoding media.<br />
An encryption software must be used during all data storage to ensure security of the data. (2) <br />
<br />
<br />
'''Transcribing the Interviews''' <br />
<br />
The importance of recording and transcribing the interviews is to ensure that women’s experiences and perspectives are shared in their own words. Relying on the interviewers’ notes/memories may be insufficient to ensure quality of data and its analysis. <br />
Transcribing the interviews also enables the respondents the option of reviewing the information they have provided if they wish, and choosing which information they consent to share. <br />
<br />
Particular care should be taken to ensure that no one community or individual can be identified.<br />
<br />
<br />
'''Checklist:'''<br />
<br />
* think before you upload your story to the internet and if your security or the security of others could be compromised by others seeing it or not.<br />
* if you or the interviewee don't want your face shown, or your voice clearly recognisable, you can use tools to help guarantee anonymity (Audacity has tools for audio, ObscuraCam for video).<br />
* never use an image of a person without that person's permission, regardless of who owns the image.<br />
<br />
''(1) Use encryption software (Truecrypt) to ensure security of the file.''<br />
''(2) Truecrypt is a recommended free open source application that can be used for encrypting data on your computers and portable devices.''</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_deal_with_vulnerable_interviewees&diff=328How to deal with vulnerable interviewees2015-05-20T11:36:24Z<p>Tarryn: </p>
<hr />
<div>'''Dealing with vulnerable interviewees'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
This guide contains resources and important considerations to be put in place when conducting interviews, particularly with survivors of violence and sexual harassment.<br />
<br />
At GenderIT.org, our priorities include giving space to voices from the global South and to the voices of marginalised communities, including victims of violence and sexual harassment. This means an awareness of both our own power and the power of others – including ways in which our actions can enhance or detract from the power of the person whose voice is being heard.<br />
<br />
This means an awareness of the vulnerabilities of those who have experienced sexual or other violence or harassment – giving them the power to decide how anonymous they wish to be, for example, allowing them to choose how to refer to themselves (as a survivor, as a victim etc.), giving them ample space and time to tell, write or edit their story, and time for them to be happy about how it will be shared (if it is to be shared).<br />
<br />
<br />
'''Overview'''<br />
<br />
A key resource here is the Witness guide to interviewing surivors of sexual assault<br />
(http://blog.witness.org/2013/08/new-how-to-guide-for-interviewing-survivors-of-sexual-and-gender-based-violence/). Violence survivors include those in positions of power and authority and if you are speaking to them about their experience of violence, particularly sexual violence or assault, it is still important to follow these principles.<br />
<br />
Another important document is the WHO guide on research on domestic violence (http://www.who.int/gender/documents/violence/who_fch_gwh_01.1/en/) available in English, French and Spanish.<br />
<br />
<br />
'''WHO Guiding Principles for Domestic Violence Research'''<br />
<br />
a. The safety of respondents and the research team is paramount, and should guide all project decisions.<br />
<br />
b. Prevalence studies need to be methodologically sound and to build upon current re- search experience about how to minimize the under-reporting of violence.<br />
<br />
c. Protecting confidentiality is essential to ensure both women’s safety and data quality.<br />
<br />
d. All research team members should be care fully selected and receive specialized training and on-going support.<br />
<br />
e. The study design must include actions aimed at reducing any possible distress caused to the participants by the research.<br />
<br />
f. Fieldworkers should be trained to refer women requesting assistance to available local services and sources of support. Where few resources exist, it may be necessary for the study to create short-term support mechanisms.<br />
<br />
g. Researchers and donors have an ethical obligation to help ensure that their findings are properly interpreted and used to advance policy and intervention development.<br />
<br />
h. Violence questions should only be incorporated into surveys designed for other purposes when ethical and methodological requirements can be met.<br />
<br />
<br />
'''Drawing from these principles''', Athar, Rima "VI. Ethics in the Research Process" In: Research Design for “From impunity to justice: Exploring corporate and legal remedies for technology-related violence against women” research (APC, November 2013) '''drew up these guidelines''':<br />
<br />
<br />
'''Obtaining Informed Consent'''<br />
<br />
Interviewees are treated as human beings with agency-capable of determining and deciding what is best for them and not mere subjects or as means to extract data.<br />
As with respect to their self-determination, a.) the nature of the interview, b.) any risks and benefits which might result from their participation, c.) their rights to refuse to participate or to end their participation without penalty, and d.) the means by which they can contact the writer shall be first explained to potential interviews in language they understand. <br />
<br />
It is imperative to stress that consent is voluntary, and as such can be withdrawn at any time prior to publication. Writers must ensure the possibility for interviewees to withdraw their consent (at minimum by providing a way to contact the writer)<br />
Only those who shall express willingness shall be interviewed. <br />
<br />
<br />
'''Providing support'''<br />
<br />
Interviewees stand to face positive as well as negative effects from their involvement/participation. The writer shall ensure that interviewees not only benefit from the publication of the interview but also from the actual conduct of the interview itself. A good interviewer pays careful attention to the interaction with interviewees as this is critical in remaining aware of potential hierarchies and associated power dynamics that may arise. <br />
<br />
<br />
'''During the Interview'''<br />
<br />
Use sensitive and appropriate methods. The writer shall be in close collaboration with the interviewee and is enjoined not just have an instrumental but genuine relationship with them, recognising that there is no ‘detachment’ from the interviewee’s problems. Treating all people as human beings will entail a degree of emotional involvement and create bond between the interviewer and respondent that can potentially empower both, without creating or fostering dependence. <br />
It entails listening to the interviewee with sensitivity. Those who have experienced violation and trauma may react poorly to questions around their experiences, and the writer should be able to recognize this and provide an appropriate response. <br />
During the course of the interview, the interviewer should introduce any section enquiring about violence carefully, forewarning the respondent about the nature of the questions and giving her the opportunity to either stop the interview, or not to answer these questions.<br />
Collaboration means also that the interviewer is willing to self-disclose- to share her/his experience if the interviewee requests.<br />
At all times refrain from any conduct or statement that has the effect or impact of blaming the woman for the violence she has experienced. <br />
<br />
<br />
'''Boundaries'''<br />
<br />
Writers shall take steps to address other needs of the interviewee such as counselling, psycho-social and emotional support through referrals to local and culturally appropriate resources. However, be explicit about limitations and do not make promises that cannot be fulfilled.<br />
Interviewers should not take on a role as counsellor.<br />
Interviewers should be open to assisting the respondent if asked, within the limits of these protocols, but should not tell her what to do or to take on the personal burden of trying to “save her”. <br />
Variations in individual and cultural understandings of what constitutes violence against women (including rape, marital rape, assault, harassment, etc.), are to be expected. The writer’s role in working with victims/survivors of violence (as well as all other interviewees) is to bring out their own understandings of the violence they experienced (or witnessed or participated in), through questions and sharing of perspectives that provide room for conversation around different views; rather than try to stick with a pre-determined definition/understanding of what constitutes violence, rape, harassment, assault, etc. <br />
<br />
<br />
'''Providing referrals to social support services'''<br />
<br />
Prior to conducting the interview, research potential providers of support, which may include existing health, legal and social services and educational resources in the community, and less formal providers of support (including community representatives, religious leaders, traditional healers and women’s organizations).<br />
A list of such resources should be made available to the interviewee, but only provided if and when asked for. Such a list should be framed as resources for “women’s heath” broadly, to miminize risks to interviewees that may result from possessing such a list. <br />
<br />
<br />
'''Ensuring Confidentiality'''<br />
<br />
All involved, from the interviewer to the editor, have the duty to assure the women that their identities will be protected, if this has been agreed upon. <br />
Confidentiality means that participants’ cannot be identified by others, so any identifying information (such as location etc) is to be stripped from all materials pertaining to the interview, including photographs and recordings.<br />
Interviewers shall determine what kind of information and details to share, no matter how crucial the women’s revelation.<br />
<br />
<br />
'''Location of interview'''<br />
<br />
Interviews cost the interviewee time and energy. Therefore, they should be carried out in settings that are most convenient for them.<br />
Logistics planning should include consideration of respondent safety. <br />
Interviews should be conducted in complete privacy. In cases where privacy cannot be ensured, interviews should be rescheduled or relocated. <br />
<br />
<br />
'''Recording the Interview'''<br />
<br />
Audio-recordings should be made for in-depth interviews with survivors of violence.<br />
<br />
The permission of the respondents should be sought before taping. The name of the respondent should not be included in the audio-recording at any stage. <br />
Respondents should be informed of who will have access to the tapes and for how long they will be kept. <br />
<br />
1. In this case, only interviewer (& transcriber, if different from the interviewer) will have access to the audio-recording. <br />
<br />
2. The audio-recordings should be kept in encrypted file1on an external hard drive, in a locked cabinet, with limited access. <br />
<br />
3. The audio-recording should be destroyed after publication. <br />
<br />
Extreme caution must be taken to securely transport raw data from locations of interviews to places where data are processed. That applies to all recoding media.<br />
An encryption software must be used during all data storage to ensure security of the data. 2 <br />
<br />
<br />
'''Transcribing the Interviews''' <br />
<br />
The importance of recording and transcribing the interviews is to ensure that women’s experiences and perspectives are shared in their own words. Relying on the interviewers’ notes/memories may be insufficient to ensure quality of data and its analysis. <br />
Transcribing the interviews also enables the respondents the option of reviewing the information they have provided if they wish, and choosing which information they consent to share. <br />
<br />
Particular care should be taken to ensure that no one community or individual can be identified.<br />
<br />
<br />
'''Checklist:'''<br />
<br />
* think before you upload your story to the internet and if your security or the security of others could be compromised by others seeing it or not.<br />
* if you or the interviewee don't want your face shown, or your voice clearly recognisable, you can use tools to help guarantee anonymity (Audacity has tools for audio, ObscuraCam for video).<br />
* never use an image of a person without that person's permission, regardless of who owns the image.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_deal_with_vulnerable_interviewees&diff=327How to deal with vulnerable interviewees2015-05-20T11:34:13Z<p>Tarryn: Created page with "'''Dealing with vulnerable interviewees''' '''Introduction''' This guide contains resources and important considerations to be put in place when conducting interviews, part..."</p>
<hr />
<div>'''Dealing with vulnerable interviewees'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
This guide contains resources and important considerations to be put in place when conducting interviews, particularly with survivors of violence and sexual harassment.<br />
<br />
At GenderIT.org, our priorities include giving space to voices from the global South and to the voices of marginalised communities, including victims of violence and sexual harassment. This means an awareness of both our own power and the power of others – including ways in which our actions can enhance or detract from the power of the person whose voice is being heard.<br />
<br />
This means an awareness of the vulnerabilities of those who have experienced sexual or other violence or harassment – giving them the power to decide how anonymous they wish to be, for example, allowing them to choose how to refer to themselves (as a survivor, as a victim etc.), giving them ample space and time to tell, write or edit their story, and time for them to be happy about how it will be shared (if it is to be shared).<br />
<br />
<br />
'''Overview'''<br />
<br />
A key resource here is the Witness guide to interviewing surivors of sexual assault<br />
(http://blog.witness.org/2013/08/new-how-to-guide-for-interviewing-survivors-of-sexual-and-gender-based-violence/). Violence survivors include those in positions of power and authority and if you are speaking to them about their experience of violence, particularly sexual violence or assault, it is still important to follow these principles.<br />
<br />
Another important document is the WHO guide on research on domestic violence (http://www.who.int/gender/documents/violence/who_fch_gwh_01.1/en/) available in English, French and Spanish.<br />
<br />
<br />
'''WHO Guiding Principles for Domestic Violence Research'''<br />
<br />
a. The safety of respondents and the research team is paramount, and should guide all project decisions.<br />
<br />
b. Prevalence studies need to be methodologically sound and to build upon current re- search experience about how to minimize the under-reporting of violence.<br />
<br />
c. Protecting confidentiality is essential to ensure both women’s safety and data quality.<br />
<br />
d. All research team members should be care fully selected and receive specialized training and on-going support.<br />
<br />
e. The study design must include actions aimed at reducing any possible distress caused to the participants by the research.<br />
<br />
f. Fieldworkers should be trained to refer women requesting assistance to available local services and sources of support. Where few resources exist, it may be necessary for the study to create short-term support mechanisms.<br />
<br />
g. Researchers and donors have an ethical obligation to help ensure that their findings are properly interpreted and used to advance policy and intervention development.<br />
<br />
h. Violence questions should only be incorporated into surveys designed for other purposes when ethical and methodological requirements can be met.<br />
<br />
[[Drawing from these principles]], Athar, Rima "VI. Ethics in the Research Process" In: Research Design for “From impunity to justice: Exploring corporate and legal remedies for technology-related violence against women” research (APC, November 2013) [[drew up these guidelines]]:<br />
<br />
'''Obtaining Informed Consent'''<br />
<br />
Interviewees are treated as human beings with agency-capable of determining and deciding what is best for them and not mere subjects or as means to extract data.<br />
As with respect to their self-determination, a.) the nature of the interview, b.) any risks and benefits which might result from their participation, c.) their rights to refuse to participate or to end their participation without penalty, and d.) the means by which they can contact the writer shall be first explained to potential interviews in language they understand. <br />
<br />
It is imperative to stress that consent is voluntary, and as such can be withdrawn at any time prior to publication. Writers must ensure the possibility for interviewees to withdraw their consent (at minimum by providing a way to contact the writer)<br />
Only those who shall express willingness shall be interviewed. <br />
<br />
'''Providing support'''<br />
<br />
Interviewees stand to face positive as well as negative effects from their involvement/participation. The writer shall ensure that interviewees not only benefit from the publication of the interview but also from the actual conduct of the interview itself. A good interviewer pays careful attention to the interaction with interviewees as this is critical in remaining aware of potential hierarchies and associated power dynamics that may arise. <br />
<br />
'''During the Interview'''<br />
<br />
Use sensitive and appropriate methods. The writer shall be in close collaboration with the interviewee and is enjoined not just have an instrumental but genuine relationship with them, recognising that there is no ‘detachment’ from the interviewee’s problems. Treating all people as human beings will entail a degree of emotional involvement and create bond between the interviewer and respondent that can potentially empower both, without creating or fostering dependence. <br />
It entails listening to the interviewee with sensitivity. Those who have experienced violation and trauma may react poorly to questions around their experiences, and the writer should be able to recognize this and provide an appropriate response. <br />
During the course of the interview, the interviewer should introduce any section enquiring about violence carefully, forewarning the respondent about the nature of the questions and giving her the opportunity to either stop the interview, or not to answer these questions.<br />
Collaboration means also that the interviewer is willing to self-disclose- to share her/his experience if the interviewee requests.<br />
At all times refrain from any conduct or statement that has the effect or impact of blaming the woman for the violence she has experienced. <br />
<br />
'''Boundaries'''<br />
<br />
Writers shall take steps to address other needs of the interviewee such as counselling, psycho-social and emotional support through referrals to local and culturally appropriate resources. However, be explicit about limitations and do not make promises that cannot be fulfilled.<br />
Interviewers should not take on a role as counsellor.<br />
Interviewers should be open to assisting the respondent if asked, within the limits of these protocols, but should not tell her what to do or to take on the personal burden of trying to “save her”. <br />
Variations in individual and cultural understandings of what constitutes violence against women (including rape, marital rape, assault, harassment, etc.), are to be expected. The writer’s role in working with victims/survivors of violence (as well as all other interviewees) is to bring out their own understandings of the violence they experienced (or witnessed or participated in), through questions and sharing of perspectives that provide room for conversation around different views; rather than try to stick with a pre-determined definition/understanding of what constitutes violence, rape, harassment, assault, etc. <br />
<br />
'''Providing referrals to social support services'''<br />
<br />
Prior to conducting the interview, research potential providers of support, which may include existing health, legal and social services and educational resources in the community, and less formal providers of support (including community representatives, religious leaders, traditional healers and women’s organizations).<br />
A list of such resources should be made available to the interviewee, but only provided if and when asked for. Such a list should be framed as resources for “women’s heath” broadly, to miminize risks to interviewees that may result from possessing such a list. <br />
<br />
'''Ensuring Confidentiality'''<br />
<br />
All involved, from the interviewer to the editor, have the duty to assure the women that their identities will be protected, if this has been agreed upon. <br />
Confidentiality means that participants’ cannot be identified by others, so any identifying information (such as location etc) is to be stripped from all materials pertaining to the interview, including photographs and recordings.<br />
Interviewers shall determine what kind of information and details to share, no matter how crucial the women’s revelation.<br />
<br />
'''Location of interview'''<br />
<br />
Interviews cost the interviewee time and energy. Therefore, they should be carried out in settings that are most convenient for them.<br />
Logistics planning should include consideration of respondent safety. <br />
Interviews should be conducted in complete privacy. In cases where privacy cannot be ensured, interviews should be rescheduled or relocated. <br />
<br />
'''Recording the Interview'''<br />
<br />
Audio-recordings should be made for in-depth interviews with survivors of violence.<br />
<br />
The permission of the respondents should be sought before taping. The name of the respondent should not be included in the audio-recording at any stage. <br />
Respondents should be informed of who will have access to the tapes and for how long they will be kept. <br />
<br />
1. In this case, only interviewer (& transcriber, if different from the interviewer) will have access to the audio-recording. <br />
<br />
2. The audio-recordings should be kept in encrypted file1on an external hard drive, in a locked cabinet, with limited access. <br />
<br />
3. The audio-recording should be destroyed after publication. <br />
<br />
Extreme caution must be taken to securely transport raw data from locations of interviews to places where data are processed. That applies to all recoding media.<br />
An encryption software must be used during all data storage to ensure security of the data. 2 <br />
<br />
'''Transcribing the Interviews''' <br />
<br />
The importance of recording and transcribing the interviews is to ensure that women’s experiences and perspectives are shared in their own words. Relying on the interviewers’ notes/memories may be insufficient to ensure quality of data and its analysis. <br />
Transcribing the interviews also enables the respondents the option of reviewing the information they have provided if they wish, and choosing which information they consent to share. <br />
<br />
Particular care should be taken to ensure that no one community or individual can be identified.<br />
<br />
<br />
'''Checklist:'''<br />
<br />
* think before you upload your story to the internet and if your security or the security of others could be compromised by others seeing it or not.<br />
* if you or the interviewee don't want your face shown, or your voice clearly recognisable, you can use tools to help guarantee anonymity (Audacity has tools for audio, ObscuraCam for video).<br />
* never use an image of a person without that person's permission, regardless of who owns the image.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=326How to work with images2015-05-20T11:24:02Z<p>Tarryn: </p>
<hr />
<div>'''Introduction'''<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
'''Overview'''<br />
<br />
If you're looking for a fairly simple how-to for digital photography, take a look at http://photo.net/equipment/digital/basics/. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available at https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event are available [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
<br />
'''Technical tools'''<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An open source alternative to Photoshop is available at http://www.gimp.org/, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the ObscuraCam app to protect the identity of those whose pictures you take. This app removes location and other identifying material from the photos. Available free at https://guardianproject.info/apps/obscuracam/.<br />
<br />
<br />
'''Methods'''<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
<br />
'''Technical tips for using the picture in GenderIT.org'''<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=325How to work with images2015-05-20T11:22:42Z<p>Tarryn: </p>
<hr />
<div>'''Introduction'''<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
<br />
'''Overview'''<br />
<br />
If you're looking for a fairly simple how-to for digital photography, take a look at http://photo.net/equipment/digital/basics/. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available at https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event are available [http://photography.tutsplus.com/series/photojournalism—photo-8677 here]<br />
<br />
<br />
'''Technical tools'''<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An open source alternative to Photoshop is available at http://www.gimp.org/, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the ObscuraCam app to protect the identity of those whose pictures you take. This app removes location and other identifying material from the photos. Available free at https://guardianproject.info/apps/obscuracam/.<br />
<br />
<br />
'''Methods'''<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
<br />
'''Technical tips for using the picture in GenderIT.org'''<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are ''png gif jpg jpeg'' <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_images&diff=324How to work with images2015-05-20T11:20:34Z<p>Tarryn: Created page with "'''Introduction''' Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the..."</p>
<hr />
<div>'''Introduction'''<br />
<br />
Photographs can illuminate a story, but also present risks for information they may inadvertently provide about the location and identities of those in the photographs. This guide addresses these questions of safety, security and ensuring anonymity.<br />
<br />
'''Overview'''<br />
<br />
If you're looking for a fairly simple how-to for digital photography, take a look at http://photo.net/equipment/digital/basics/. It includes information on choosing a camera, as well as guiding readers through the vocabulary of a digital camera.<br />
<br />
A really beautiful online guide to portrait photography is available at https://archive.org/details/The_Perfect_Portrait_Guide_How_to_Photograph_People. This is really practical for taking one-on-one shots, less practical in the chaotic atmosphere of a conference.<br />
<br />
Perhaps more practical tips for the type of photographs you might be taking if you go to a conference or event are available here http://photography.tutsplus.com/series/photojournalism—photo-8677.<br />
<br />
'''Technical tools'''<br />
<br />
Obviously, you'll need a camera. The quality of most point-and-shoot cameras is usually sufficient for the website.<br />
<br />
However, you may need to change the quality or otherwise edit your photo. An open source alternative to Photoshop is available at http://www.gimp.org/, which has tutorials on the same site.<br />
<br />
If you're taking photos with your phone, make sure you use the ObscuraCam app to protect the identity of those whose pictures you take. This app removes location and other identifying material from the photos. Available free at https://guardianproject.info/apps/obscuracam/.<br />
<br />
'''Methods'''<br />
<br />
Aside from the technical tips covered above, as always make sure that you respect people's privacy. At conferences, ensure that those in photographs are happy with the image being made public – in many conferences people may wear some form of identification to show that they don't want their photographs taken. It is vital that this is respected. If you aren't sure, or don't get to ask, don't upload the shot – or anonymise their picture (see the link to ObscuraCam above).<br />
<br />
If you have done an interview and the interviewee wants to remain anonymous, you could take photos of hands, a sillhouette or other means that protect their identity. Check out the resources at gbv.witness.org for ideas and suggestions. <br />
<br />
'''Checklist'''<br />
<br />
1. Before going out, make sure you have spare batteries and a notepad (and a camera!).<br />
<br />
2. Get the permission of everyone you photograph to use their pictures. Explain the context of the site and if possible, the context of the story.<br />
<br />
3. Before taking the shot, check the lighting, check that everything is to scale (see http://www.hongkiat.com/blog/force-perspective-photos/).<br />
<br />
4. If the photo is taken with a smart device, make sure you strip identifying data from the shot.<br />
5. Make sure that the image in in the right format before uploading.<br />
<br />
'''Technical tips for using the picture in GenderIT.org'''<br />
<br />
1. Please make sure the file size does not exceed the 25 MB. If this is the case, you can easily reduce the size by using this online tool: http://www.webresizer.com/resizer/ You can also crop them if you need to.<br />
<br />
2. Allowed file extensions are png gif jpg jpeg <br />
<br />
3. On the HOW to upload them, please refer yourself to the technical guide about how to upload content in GenderIT.org.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Reference_guide&diff=289Reference guide2015-05-19T09:18:37Z<p>Tarryn: </p>
<hr />
<div><br />
'''APC Reference Guide'''<br />
<br />
APC uses an adapted version of the American Psychological Association (APA) style of referencing. The key difference is APC's use of footnotes rather than in-text citation of author and date. We take into consideration the impracticality of scrolling backwards and forwards to the bibliography. Footnotes are better suited to documents that are likely to be read on a digital device. Please take into account the following recommendations when writing and editing for APC.<br />
<br />
<br />
'''[http://www.apc.org/en/system/files/APC_ReferenceGuide_2-0.pdf Read or download the Reference guide in pdf format]'''</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=Our_code_of_ethics&diff=236Our code of ethics2015-05-18T12:48:46Z<p>Tarryn: </p>
<hr />
<div>The GenderIT.org code of ethics is based on feminist theory and praxis and is a work in progress. We have developed this bearing in mind that most codes of ethics for journalists have been developed primarily for print media, in an era prior to the connectivity made possible by the internet. They have also largely been inherited from organisations steeped in patriarchy and while there are lots of positive examples of incorporating gender into these codes, we feel that a code of ethics that has a feminist starting point and which takes into account some of the complexities occasioned by the internet can contribute not only to achieving the [http://www.genderit.org/articles/feminist-principles-internet feminist principles of the internet], but also in debates and discussion on codes of ethics in journalism more broadly.<br />
<br />
<br />
'''1.''' '''Respect''' should be the underlying principle in all communications on this site. This includes comments on posts and posts themselves. It includes respect for a diversity of identities, cultural experiences and political contexts. It includes respect for the integrity of the individual(s) behind the posts, regardless of how they choose to identify, if at all.<br />
<br />
<br />
'''2.''' Comments and posts should contribute to debate and discussion. Those that do not will be deleted. If we feel that the issue warrants it, we will post justifications.<br />
<br />
<br />
'''3.''' '''Power relations''' are fundamental to persistent inequalities. This is a site aimed at providing a space for marginalised and queer voices to address these inequalities. Therefore, voices from the Global South, from marginalised and queer communities will be privileged over other voices.<br />
<br />
<br />
'''4.''' We recognise that '''violence online''' is real and has tangible real-world impacts. This is an extension of misogyny that attempts to silence feminist voices regardless of medium. It is a key part of the site's advocacy to address this issue and the gap in understanding and knowledge that surrounds gender-based violence online and through the use of new technologies.<br />
<br />
<br />
'''5.''' GenderIT.org recognises '''the principle of fluidity of identity and the right to be forgotten'''. In practical terms this means that GenderIT.org safeguards the privacy of both formal and informal contributors to the site, and allows them control over the manner in which they are represented, if they choose to reveal an identity and what identity they choose to reveal. '''We expect honesty in all dealings with GenderIT.org'''. <br />
<br />
<br />
'''6.''' Resistance to the neoliberal, capitalist order is fundamental to realising a feminist space. We manifest this in our commitment to '''open source technology, to copyleft licensing of our articles'''. Complementary to this, we recognise the historic burdens placed on women and marginalised communities in terms of unpaid or poorly paid labour and resolve to be part of the solution to women's multiple burdens as far as is possible.<br />
<br />
<br />
'''7.''' '''Access to knowledge''' is a fundamental human right. We commit to this through the licensing of our material and in a commitment to translate as broadly as resources allow. We also believe that access to knowledge in a digital context is only possible by '''demystifying technology and using plain language''' as much as possible.<br />
<br />
<br />
'''8.''' We recognise the '''rights of survivors''' to their own story, and recognise that sharing this story is a brave and often empowering act. We also recognise that sharing a story opens up survivors to further abuse. We attempt to balance competing interests in a manner that puts the rights of the individual to their own story at the heart of our decision.<br />
<br />
<br />
'''9.''' The team behind GenderIT.org are fallible. We attempt to be transparent in our decision-making processes, and will attempt to address conflicts that arise as a result of our decisions within the spaces on the website.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=A_guide_for_new_editors&diff=230A guide for new editors2015-05-18T12:15:53Z<p>Tarryn: </p>
<hr />
<div>'''Guide for editors'''<br />
<br />
This is a guide to help editors new to GenderIT.org to understand the priorities for the site and provide a quick reference to important documents that you may need in your work.<br />
<br />
<br />
'''Introduction'''<br />
<br />
The editor is the link between the writer and the audience, and the main aim of the editor is to improve communication between the two. While all stories should follow GenderIT.org style and editorial guidelines, and be in line with the core principles of the site, as far as possible, the editor keeps the words and flow of the original writer. The writer is usually an expert in their field, often with many years of campaigning or struggle in their own country – often in languages that are not English. It is important to respect the writer, and ask them questions and permission for any substantive changes.<br />
<br />
It is not always easy to follow these guidelines! <br />
<br />
<br />
'''Editing tips'''<br />
<br />
Read through the entire piece first. This gives some sense of what the story is about, and often points that are confusing can be clarified later on.<br />
<br />
Use a lighter touch for blogs such as Feminist Talk. Just check for spelling and readability – only if something is very confusing, make an amendment. Always track changes.<br />
<br />
<br />
Check for points that are made more than once. If there is new information, try to meld the two together for brevity, and readability.<br />
<br />
Make sure that language is as simple as possible. Writers, especially those fluent in English, may use colloquialisms or long words. It is particularly important for readers whose first language is not English to simplify these. <br />
<br />
Example: '''Time seemed to fly''', the conference was '''so packed''' with exciting speakers. <br />
Instead: The conference had lots of exciting speakers.<br />
<br />
<br />
As far as possible check accuracy. If there was an event, check the dates, that names are spelt correctly etc. Google is definitely your friend!<br />
<br />
Check footnotes and references, for both style and completeness. If you think something needs to be referenced, ask for the writer to put that in.<br />
<br />
For some writers (but certainly not all), this may be the first time they are publishing something in English. Your role MAY be to guide and advise them. It is usually clear from the text itself if this is the case. Always phrase guidance respectfully and positively.<br />
<br />
<br />
Its important that you encourage the writers to provide as many links within the text as possible. Some writers might not be used to write in online platforms, so we should try to make the text as fluid and rich as possible. The articles can't cover all the contextual information that understanding the content of the article might require, but links can be quite useful for that. <br />
<br />
<br />
Editors should also help writers understand how important is to save some time to search in the website and select related articles and resources as much as possible. This way we build on previous writings and we offer the readership a much prolific reading experience. And we increase our chances of readers to get interested in related materials and to stay on the website!<br />
<br />
Some pieces may need two or three edits. Be prepared!<br />
<br />
<br />
'''Editing a translation'''<br />
<br />
Many of GenderIT.org articles are translations (from English to Spanish or viceversa). Editing translations has its own challenges, since the mediation of the translator is a second voice that shows in the final article. Always edit the translated article with the original in hand, so you can double-check that the translator didn't misunderstand any phrase or word. In some cases, when translators do not understand a very specific word or expression, they might highlight it for your consideration, so be ready to solve that quiz. Going back to the author and asking for synonyms or alternative ways of saying it might help.<br />
<br />
<br />
'''Quick links'''<br />
<br />
Link here to [[Our code of ethics]]; [[Style guide]]; Editorial guide; Citation guide.<br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Does the piece as a whole make sense? Is the argument/ are the points clear? Is there any repetition, and if so, does it serve a purpose?<br />
<br />
2. Is the language clear? Are there any colloquialisms? Are there any words or phrases that a person whose first language is not English may have difficulty understanding?<br />
<br />
3. Are the grammar and spelling correct?<br />
<br />
4. Are all quotes or other materials adequately referenced, following the house style?<br />
<br />
5. Is there anything missing? Is there an argument or idea that the writer could have followed up on that would strengthen the article? Are there any suggestions you'd like to make to the writer?</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=A_guide_for_new_editors&diff=229A guide for new editors2015-05-18T12:13:56Z<p>Tarryn: </p>
<hr />
<div>'''Guide for editors'''<br />
<br />
This is a guide to help editors new to GenderIT.org to understand the priorities for the site and provide a quick reference to important documents that you may need in your work.<br />
<br />
<br />
'''Introduction'''<br />
<br />
The editor is the link between the writer and the audience, and the main aim of the editor is to improve communication between the two. While all stories should follow GenderIT.org style and editorial guidelines, and be in line with the core principles of the site, as far as possible, the editor keeps the words and flow of the original writer. The writer is usually an expert in their field, often with many years of campaigning or struggle in their own country – often in languages that are not English. It is important to respect the writer, and ask them questions and permission for any substantive changes.<br />
<br />
It is not always easy to follow these guidelines! <br />
<br />
<br />
'''Editing tips'''<br />
<br />
Read through the entire piece first. This gives some sense of what the story is about, and often points that are confusing can be clarified later on.<br />
<br />
Use a lighter touch for blogs such as Feminist Talk. Just check for spelling and readability – only if something is very confusing, make an amendment. Always track changes.<br />
<br />
<br />
Check for points that are made more than once. If there is new information, try to meld the two together for brevity, and readability.<br />
<br />
Make sure that language is as simple as possible. Writers, especially those fluent in English, may use colloquialisms or long words. It is particularly important for readers whose first language is not English to simplify these. <br />
<br />
Example: '''Time seemed to fly''', the conference was '''so packed''' with exciting speakers. <br />
Instead: The conference had lots of exciting speakers.<br />
<br />
<br />
As far as possible check accuracy. If there was an event, check the dates, that names are spelt correctly etc. Google is definitely your friend!<br />
<br />
Check footnotes and references, for both style and completeness. If you think something needs to be referenced, ask for the writer to put that in.<br />
<br />
For some writers (but certainly not all), this may be the first time they are publishing something in English. Your role MAY be to guide and advise them. It is usually clear from the text itself if this is the case. Always phrase guidance respectfully and positively.<br />
<br />
<br />
Its important that you encourage the writers to provide as many links within the text as possible. Some writers might not be used to write in online platforms, so we should try to make the text as fluid and rich as possible. The articles can't cover all the contextual information that understanding the content of the article might require, but links can be quite useful for that. <br />
<br />
<br />
Editors should also help writers understand how important is to save some time to search in the website and select related articles and resources as much as possible. This way we build on previous writings and we offer the readership a much prolific reading experience. And we increase our chances of readers to get interested in related materials and to stay on the website!<br />
<br />
Some pieces may need two or three edits. Be prepared!<br />
<br />
<br />
'''Editing a translation'''<br />
<br />
Many of GenderIT.org articles are translations (from English to Spanish or viceversa). Editing translations has its own challenges, since the mediation of the translator is a second voice that shows in the final article. Always edit the translated article with the original in hand, so you can double-check that the translator didn't misunderstand any phrase or word. In some cases, when translators do not understand a very specific word or expression, they might highlight it for your consideration, so be ready to solve that quiz. Going back to the author and asking for synonyms or alternative ways of saying it might help.<br />
<br />
<br />
'''Quick links'''<br />
<br />
Link here to Code of ethics; Style guide; Editorial guide; Citation guide.<br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Does the piece as a whole make sense? Is the argument/ are the points clear? Is there any repetition, and if so, does it serve a purpose?<br />
<br />
2. Is the language clear? Are there any colloquialisms? Are there any words or phrases that a person whose first language is not English may have difficulty understanding?<br />
<br />
3. Are the grammar and spelling correct?<br />
<br />
4. Are all quotes or other materials adequately referenced, following the house style?<br />
<br />
5. Is there anything missing? Is there an argument or idea that the writer could have followed up on that would strengthen the article? Are there any suggestions you'd like to make to the writer?</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=A_guide_for_new_editors&diff=228A guide for new editors2015-05-18T12:11:05Z<p>Tarryn: Created page with "'''Guide for editors''' This is a guide to help editors new to GenderIT.org to understand the priorities for the site and provide a quick reference to important documents tha..."</p>
<hr />
<div>'''Guide for editors'''<br />
<br />
This is a guide to help editors new to GenderIT.org to understand the priorities for the site and provide a quick reference to important documents that you may need in your work.<br />
<br />
<br />
'''Introduction'''<br />
<br />
The editor is the link between the writer and the audience, and the main aim of the editor is to improve communication between the two. While all stories should follow GenderIT.org style and editorial guidelines, and be in line with the core principles of the site, as far as possible, the editor keeps the words and flow of the original writer. The writer is usually an expert in their field, often with many years of campaigning or struggle in their own country – often in languages that are not English. It is important to respect the writer, and ask them questions and permission for any substantive changes.<br />
<br />
It is not always easy to follow these guidelines! <br />
<br />
<br />
'''Editing tips'''<br />
<br />
Read through the entire piece first. This gives some sense of what the story is about, and often points that are confusing can be clarified later on.<br />
<br />
Use a lighter touch for blogs such as Feminist Talk. Just check for spelling and readability – only if something is very confusing, make an amendment. Always track changes.<br />
<br />
Check for points that are made more than once. If there is new information, try to meld the two together for brevity, and readability.<br />
<br />
Make sure that language is as simple as possible. Writers, especially those fluent in English, may use colloquialisms or long words. It is particularly important for readers whose first language is not English to simplify these. <br />
<br />
Example: '''Time seemed to fly''', the conference was '''so packed''' with exciting speakers. <br />
Instead: The conference had lots of exciting speakers.<br />
<br />
As far as possible check accuracy. If there was an event, check the dates, that names are spelt correctly etc. Google is definitely your friend!<br />
<br />
Check footnotes and references, for both style and completeness. If you think something needs to be referenced, ask for the writer to put that in.<br />
<br />
For some writers (but certainly not all), this may be the first time they are publishing something in English. Your role MAY be to guide and advise them. It is usually clear from the text itself if this is the case. Always phrase guidance respectfully and positively.<br />
<br />
Its important that you encourage the writers to provide as many links within the text as possible. Some writers might not be used to write in online platforms, so we should try to make the text as fluid and rich as possible. The articles can't cover all the contextual information that understanding the content of the article might require, but links can be quite useful for that. <br />
<br />
Editors should also help writers understand how important is to save some time to search in the website and select related articles and resources as much as possible. This way we build on previous writings and we offer the readership a much prolific reading experience. And we increase our chances of readers to get interested in related materials and to stay on the website!<br />
<br />
Some pieces may need two or three edits. Be prepared!<br />
<br />
'''Editing a translation'''<br />
<br />
Many of GenderIT.org articles are translations (from English to Spanish or viceversa). Editing translations has its own challenges, since the mediation of the translator is a second voice that shows in the final article. Always edit the translated article with the original in hand, so you can double-check that the translator didn't misunderstand any phrase or word. In some cases, when translators do not understand a very specific word or expression, they might highlight it for your consideration, so be ready to solve that quiz. Going back to the author and asking for synonyms or alternative ways of saying it might help.<br />
<br />
<br />
'''Quick links'''<br />
<br />
Link here to Code of ethics; Style guide; Editorial guide; Citation guide.<br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Does the piece as a whole make sense? Is the argument/ are the points clear? Is there any repetition, and if so, does it serve a purpose?<br />
<br />
2. Is the language clear? Are there any colloquialisms? Are there any words or phrases that a person whose first language is not English may have difficulty understanding?<br />
<br />
3. Are the grammar and spelling correct?<br />
<br />
4. Are all quotes or other materials adequately referenced, following the house style?<br />
<br />
5. Is there anything missing? Is there an argument or idea that the writer could have followed up on that would strengthen the article? Are there any suggestions you'd like to make to the writer?</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_audio&diff=227How to work with audio2015-05-18T11:58:54Z<p>Tarryn: </p>
<hr />
<div>'''The GenderIT.org guide to producing audio'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
The aim of this guide is to provide information and resources that will provide a road-map for those new to the medium of audio, while also providing quick links and reference for those with some experience who want a refresher on particular topics or questions.<br />
<br />
Voice can be an immensely warm media, bringing stories into your office, living room or car. It's also a great medium for feminists. <br />
<br />
<br />
'''Overview'''<br />
<br />
Unesco publishes a guide on how to do community radio. While the first section deals with setting up a station, the second section is on how to make programmes. It is available [http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/how-to-do-community-radio-a-primer-for-community-radio-operators/ online].<br />
<br />
The first thing is to make great sound recordings. You can fix audio that has some mistakes, but it's much easier to make sure that the recording is as 'clean' as possible. A simple guide that covers most of the important points can be found [http://www.soundportraits.org/education/how_to_record/ here] but keep in mind the points below about power and respect.<br />
<br />
<br />
'''Technical tools'''<br />
<br />
If you plan on doing a lot of audio, download an audio editor – [http://sourceforge.net/projects/audacity/?source=directory Audacity] is one of the most popular, free, open-source sound editors out there, and it can do most of what can be done by far more costly software packages. A fairly simple to follow tutorial is available [https://www.youtube.com/watch?v=lrPGMjZORCM here] – but there are loads of videos to help guide you through any issues you may have. The Audacity community is also quite active, so post any problems you face and you're bound to get some help.<br />
<br />
<br />
With Audacity, you can record sound from Skype, but the quality can be too poor for broadcast, if you're hoping that stations will pick up the story. It is fine for the website. You can also use it to record conversations using any mic plugged into your computer, including the internal mic.<br />
<br />
<br />
'''Methods'''<br />
<br />
One of the reasons GenderIT encourages contributors to make audio is because the airwaves, including both mainstream and community radio, are still dominated by male voices, issues and concerns. Feminist audio is different from malestream audio in that:<br />
<br />
1) It privileges female voices, to address existing power imbalances.<br />
<br />
2) It is always conscious of the power involved in any interview or discussion. Generally, if you are interviewing somebody, you hold more power than they do. It is your responsibility to ensure that their voice is heard in a way that is empowering for them. This means you allow them time to feel comfortable, to review what they have said, to restart or redo what they have said. Obviously there are exceptions – politicians and other prominent personalities may have more power than the interviewer. But, as a general rule, check whether these are voices that need to be heard on GenderIT. Do they have other ways of reaching a wide audience? If so, maybe we need to be looking for someone else.<br />
<br />
<br />
Follow these guidelines, bearing in mind what is written in the code of ethics and the manifesto, and you'll be producing radio-worthy audio in no time.<br />
<br />
<br />
'''Other resources'''<br />
<br />
Some useful resources:<br />
<br />
1. Transom.org – a radio specialists' guide to tools and tips for using sound editing software, including Audacity.<br />
<br />
2. [http://audacity.sourceforge.net/community/users The Audacity user community]<br />
<br />
3. The [http://www.amarc.org/index.php?p=Gender_Policy_entrance_page AMARC Gender Policy] is a useful document that looks at the issue of power and women's voices. <br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Listen back to the audio recording. Sometimes strange things creep in without you noticing!<br />
<br />
2. Are all sound effects and/ or music licensed under an appropriate copy-free license?<br />
<br />
3. Make sure you can spell all names that are mentioned, for tagging online, and to make sure that any transcript is accurate.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_audio&diff=226How to work with audio2015-05-18T11:58:08Z<p>Tarryn: </p>
<hr />
<div>'''The GenderIT.org guide to producing audio'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
The aim of this guide is to provide information and resources that will provide a road-map for those new to the medium of audio, while also providing quick links and reference for those with some experience who want a refresher on particular topics or questions.<br />
<br />
Voice can be an immensely warm media, bringing stories into your office, living room or car. It's also a great medium for feminists. <br />
<br />
<br />
'''Overview'''<br />
<br />
Unesco publishes a guide on how to do community radio. While the first section deals with setting up a station, the second section is on how to make programmes. It is available [http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/how-to-do-community-radio-a-primer-for-community-radio-operators/ online].<br />
<br />
The first thing is to make great sound recordings. You can fix audio that has some mistakes, but it's much easier to make sure that the recording is as 'clean' as possible. A simple guide that covers most of the important points can be found [http://www.soundportraits.org/education/how_to_record/ here] but keep in mind the points below about power and respect.<br />
<br />
<br />
'''Technical tools'''<br />
<br />
If you plan on doing a lot of audio, download an audio editor – [http://sourceforge.net/projects/audacity/?source=directory Audacity] is one of the most popular, free, open-source sound editors out there, and it can do most of what can be done by far more costly software packages. A fairly simple to follow tutorial is available [https://www.youtube.com/watch?v=lrPGMjZORCM here] – but there are loads of videos to help guide you through any issues you may have. The Audacity community is also quite active, so post any problems you face and you're bound to get some help.<br />
<br />
With Audacity, you can record sound from Skype, but the quality can be too poor for broadcast, if you're hoping that stations will pick up the story. It is fine for the website. You can also use it to record conversations using any mic plugged into your computer, including the internal mic.<br />
<br />
<br />
'''Methods'''<br />
<br />
One of the reasons GenderIT encourages contributors to make audio is because the airwaves, including both mainstream and community radio, are still dominated by male voices, issues and concerns. Feminist audio is different from malestream audio in that:<br />
<br />
1) It privileges female voices, to address existing power imbalances.<br />
<br />
2) It is always conscious of the power involved in any interview or discussion. Generally, if you are interviewing somebody, you hold more power than they do. It is your responsibility to ensure that their voice is heard in a way that is empowering for them. This means you allow them time to feel comfortable, to review what they have said, to restart or redo what they have said. Obviously there are exceptions – politicians and other prominent personalities may have more power than the interviewer. But, as a general rule, check whether these are voices that need to be heard on GenderIT. Do they have other ways of reaching a wide audience? If so, maybe we need to be looking for someone else.<br />
<br />
Follow these guidelines, bearing in mind what is written in the code of ethics and the manifesto, and you'll be producing radio-worthy audio in no time.<br />
<br />
<br />
'''Other resources'''<br />
<br />
Some useful resources:<br />
<br />
1. Transom.org – a radio specialists' guide to tools and tips for using sound editing software, including Audacity.<br />
<br />
2. [http://audacity.sourceforge.net/community/users The Audacity user community]<br />
<br />
3. The [http://www.amarc.org/index.php?p=Gender_Policy_entrance_page AMARC Gender Policy] is a useful document that looks at the issue of power and women's voices. <br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Listen back to the audio recording. Sometimes strange things creep in without you noticing!<br />
<br />
2. Are all sound effects and/ or music licensed under an appropriate copy-free license?<br />
<br />
3. Make sure you can spell all names that are mentioned, for tagging online, and to make sure that any transcript is accurate.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_audio&diff=225How to work with audio2015-05-18T11:55:02Z<p>Tarryn: </p>
<hr />
<div>'''The GenderIT.org guide to producing audio'''<br />
<br />
<br />
'''Introduction'''<br />
<br />
The aim of this guide is to provide information and resources that will provide a road-map for those new to the medium of audio, while also providing quick links and reference for those with some experience who want a refresher on particular topics or questions.<br />
<br />
Voice can be an immensely warm media, bringing stories into your office, living room or car. It's also a great medium for feminists. <br />
<br />
<br />
'''Overview'''<br />
<br />
Unesco publishes a guide on how to do community radio. While the first section deals with setting up a station, the second section is on how to make programmes. It is available online at http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/how-to-do-community-radio-a-primer-for-community-radio-operators/.<br />
<br />
The first thing is to make great sound recordings. You can fix audio that has some mistakes, but it's much easier to make sure that the recording is as 'clean' as possible. A simple guide that covers most of the important points is http://www.soundportraits.org/education/how_to_record/ but keep in mind the points below about power and respect.<br />
<br />
<br />
'''Technical tools'''<br />
<br />
If you plan on doing a lot of audio, download an audio editor – Audacity <http://sourceforge.net/projects/audacity/?source=directory> is one of the most popular, free, open-source sound editors out there, and it can do most of what can be done by far more costly software packages. A fairly simple to follow tutorial is available at https://www.youtube.com/watch?v=lrPGMjZORCM – but there are loads of videos to help guide you through any issues you may have. The Audacity community is also quite active, so post any problems you face and you're bound to get some help.<br />
<br />
With Audacity, you can record sound from Skype, but the quality can be too poor for broadcast, if you're hoping that stations will pick up the story. It is fine for the website. You can also use it to record conversations using any mic plugged into your computer, including the internal mic.<br />
<br />
<br />
'''Methods'''<br />
<br />
One of the reasons GenderIT encourages contributors to make audio is because the airwaves, including both mainstream and community radio, are still dominated by male voices, issues and concerns. Feminist audio is different from malestream audio in that:<br />
<br />
1) It privileges female voices, to address existing power imbalances.<br />
<br />
2) It is always conscious of the power involved in any interview or discussion. Generally, if you are interviewing somebody, you hold more power than they do. It is your responsibility to ensure that their voice is heard in a way that is empowering for them. This means you allow them time to feel comfortable, to review what they have said, to restart or redo what they have said. Obviously there are exceptions – politicians and other prominent personalities may have more power than the interviewer. But, as a general rule, check whether these are voices that need to be heard on GenderIT. Do they have other ways of reaching a wide audience? If so, maybe we need to be looking for someone else.<br />
<br />
Follow these guidelines, bearing in mind what is written in the code of ethics and the manifesto, and you'll be producing radio-worthy audio in no time.<br />
<br />
<br />
'''Other resources'''<br />
<br />
Some useful resources:<br />
<br />
1. Transom.org – a radio specialists' guide to tools and tips for using sound editing software, including Audacity.<br />
<br />
2. The Audacity user community - http://audacity.sourceforge.net/community/users<br />
<br />
3. The AMARC Gender Policy is a useful document that looks at the issue of power and women's voices. http://www.amarc.org/index.php?p=Gender_Policy_entrance_page<br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Listen back to the audio recording. Sometimes strange things creep in without you noticing!<br />
<br />
2. Are all sound effects and/ or music licensed under an appropriate copy-free license?<br />
<br />
3. Make sure you can spell all names that are mentioned, for tagging online, and to make sure that any transcript is accurate.</div>Tarrynhttps://writers.wiki.apc.org/index.php?title=How_to_work_with_audio&diff=224How to work with audio2015-05-18T11:54:10Z<p>Tarryn: Created page with "'''The GenderIT.org guide to producing audio''' '''Introduction''' The aim of this guide is to provide information and resources that will provide a road-map for those new t..."</p>
<hr />
<div>'''The GenderIT.org guide to producing audio'''<br />
<br />
'''Introduction'''<br />
<br />
The aim of this guide is to provide information and resources that will provide a road-map for those new to the medium of audio, while also providing quick links and reference for those with some experience who want a refresher on particular topics or questions.<br />
<br />
Voice can be an immensely warm media, bringing stories into your office, living room or car. It's also a great medium for feminists. <br />
<br />
'''Overview'''<br />
<br />
Unesco publishes a guide on how to do community radio. While the first section deals with setting up a station, the second section is on how to make programmes. It is available online at http://www.unesco.org/new/en/communication-and-information/resources/publications-and-communication-materials/publications/full-list/how-to-do-community-radio-a-primer-for-community-radio-operators/.<br />
<br />
The first thing is to make great sound recordings. You can fix audio that has some mistakes, but it's much easier to make sure that the recording is as 'clean' as possible. A simple guide that covers most of the important points is http://www.soundportraits.org/education/how_to_record/ but keep in mind the points below about power and respect.<br />
<br />
'''Technical tools'''<br />
<br />
If you plan on doing a lot of audio, download an audio editor – Audacity <http://sourceforge.net/projects/audacity/?source=directory> is one of the most popular, free, open-source sound editors out there, and it can do most of what can be done by far more costly software packages. A fairly simple to follow tutorial is available at https://www.youtube.com/watch?v=lrPGMjZORCM – but there are loads of videos to help guide you through any issues you may have. The Audacity community is also quite active, so post any problems you face and you're bound to get some help.<br />
<br />
With Audacity, you can record sound from Skype, but the quality can be too poor for broadcast, if you're hoping that stations will pick up the story. It is fine for the website. You can also use it to record conversations using any mic plugged into your computer, including the internal mic.<br />
<br />
'''Methods'''<br />
<br />
One of the reasons GenderIT encourages contributors to make audio is because the airwaves, including both mainstream and community radio, are still dominated by male voices, issues and concerns. Feminist audio is different from malestream audio in that:<br />
<br />
1) It privileges female voices, to address existing power imbalances.<br />
2) It is always conscious of the power involved in any interview or discussion. Generally, if you are interviewing somebody, you hold more power than they do. It is your responsibility to ensure that their voice is heard in a way that is empowering for them. This means you allow them time to feel comfortable, to review what they have said, to restart or redo what they have said. Obviously there are exceptions – politicians and other prominent personalities may have more power than the interviewer. But, as a general rule, check whether these are voices that need to be heard on GenderIT. Do they have other ways of reaching a wide audience? If so, maybe we need to be looking for someone else.<br />
<br />
Follow these guidelines, bearing in mind what is written in the code of ethics and the manifesto, and you'll be producing radio-worthy audio in no time.<br />
<br />
'''Other resources'''<br />
<br />
Some useful resources:<br />
<br />
1. Transom.org – a radio specialists' guide to tools and tips for using sound editing software, including Audacity.<br />
<br />
2. The Audacity user community - http://audacity.sourceforge.net/community/users<br />
<br />
3. The AMARC Gender Policy is a useful document that looks at the issue of power and women's voices. http://www.amarc.org/index.php?p=Gender_Policy_entrance_page<br />
<br />
<br />
'''Checklist'''<br />
<br />
1. Listen back to the audio recording. Sometimes strange things creep in without you noticing!<br />
<br />
2. Are all sound effects and/ or music licensed under an appropriate copy-free license?<br />
<br />
3. Make sure you can spell all names that are mentioned, for tagging online, and to make sure that any transcript is accurate.</div>Tarryn