Secure online communications: Difference between revisions

From APC Writer's Wiki
Jump to navigation Jump to search
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 296: Line 296:




Anti-virus, anti-spyware and back-up applications
'''Anti-virus, anti-spyware and back-up applications'''


For recommendations on application choice, see Virus protection and Backing up data sections.
For recommendations on application choice, see Virus protection and Backing up data sections.




Other software
'''Other software'''


There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.
There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.




Document sharing standards
'''Document sharing standards'''


Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.
Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.
Line 313: Line 313:




Passwords
'''Passwords'''


[Basic information and why you shouldn't use the same password for everything]
[Basic information and why you shouldn't use the same password for everything]
Line 324: Line 324:




Web browser password managers
'''Web browser password managers'''
 
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.
Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.


Line 340: Line 341:




Online privacy
='''Online privacy'''=


Basic privacy measures when browsing online
'''Basic privacy measures when browsing online'''


When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:
When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:
Line 350: Line 351:




Anonymous browsing and circumvention
'''Anonymous browsing and circumvention'''


Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.
Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.




Other anonymous communications
'''Other anonymous communications'''


Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.
Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.




Generating and sharing images, video, audio and digital stories
='''Generating and sharing images, video, audio and digital stories'''=


APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:
APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:
Line 371: Line 372:




Storing A/V material and images
'''Storing A/V material and images'''


Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.
Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.




Sharing A/V material and images
'''Sharing A/V material and images'''


A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.
A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.




Phones and Other Portable Devices
'''Phones and Other Portable Devices'''


All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.
All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.




Threats Resulting from Social Engineering Activities
'''Threats Resulting from Social Engineering Activities'''


A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.
A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.
Line 395: Line 396:




Managing Organisational Infrastructure
='''Managing Organisational Infrastructure'''=


The following principles apply to management of organisational infrastructure:
The following principles apply to management of organisational infrastructure:


General
'''General'''


* Administrative passwords to all APC mailing lists will be changed twice a year.
* Administrative passwords to all APC mailing lists will be changed twice a year.
Line 407: Line 408:




Staff exit management
'''Staff exit management'''


* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.
* When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.
Line 415: Line 416:




Agreement with organisational partners on sensitive information
'''Agreement with organisational partners on sensitive information'''


When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:
When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:
Line 423: Line 424:




Activity-specific security policies
'''Activity-specific security policies'''


When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:
When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:
Line 434: Line 435:




Online Databases and Access to Servers
'''Online Databases and Access to Servers'''


When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:
When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:

Latest revision as of 15:01, 31 May 2016

Security.jpg

The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data. Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.

Executive Summary

DOs

  • Configure your email client to communicate with the server via secure SSL/TSL connection.
  • Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.
  • Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.
  • Follow APC's guidelines for mailing lists and encrypted mailing lists.
  • Use OwnCloud for cloud data storage and data sharing
  • Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)
  • Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.
  • Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team.
  • Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.
  • Use and periodically update anti-virus software on your computer.
  • Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.
  • Install LibreOffice or other office package that supports open format standards1.
  • Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices).
  • Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces.
  • Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices.
  • Follow APC’s policy for work relating to A/V recordings and digital stories.
  • Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.
  • Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices.

DON’Ts

  • Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.
  • Use Skype for communication within APC team, unless it is absolutely necessary.
  • Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.
  • Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.
  • Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.

CONSIDER

  • Finding out whether or not the use of encryption in internet communication is legal in your country of residence.
  • Educating yourself on issues of privacy related to communication in encrypted lists.
  • Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.
  • Using an open source password management software such as Keepass if you can not remember all your passphrases.
  • Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted.
  • Prioritising free and open source software whenever possible.
  • Connecting to web content via https connection whenever possible.
  • Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.

Purpose

This policy outlines the acceptable use of computer equipment and portable devices at APC. Inappropriate use of ICTs exposes APC to risks including virus attacks, compromise of network systems and services and disclosure of private information that can put APC, APC staff and its collaborators at risk. This policy is in place to protect both the organisation and individuals.

Scope

This policy applies to APC staff, interns and other workers at APC. It also applies to all equipment, data and communications related to APC and its projects. This policy does not apply to devices used exclusively for personal communication, although applying a similar policy for such communication is highly recommended. The APC Security Policy forms part of APC's HR Resources Manual and all APC staff are asked to read it and sign it.

Perspective users of the policy

APC staff will be responsible for applying the guidelines in the APC Security Policy and it will be made available to the entire APC network with the expectation that some network members will be interested in applying some variant of the policy1. Once the policy is implemented and time tested, a generic version will be developed and disseminated online under an open licence.

APC Security Policy

Email and email list communication

Email client security settings

For choice of email client applications, see section Application choice. Some clients, such as Mozilla Thunderbird, have SSL/TSL as a default setting when configuring a new email account. Without a secure SSL/TSL connection, the content of your email communication is sent in plain text through several communication nodes between your computer and your mail server. The following principles apply to securely communicating over email:

General email communication

APC staff follows this policy for exchanging email communication:

  • Do not open email and attachments from people you do not trust.
  • Use plaintext rather than html, when practical.
  • Before forwarding any messages originating in APC lists, evaluate thoroughly whether the forwarded thread does not contain any information that was meant only for a given team or that might be considered private.
  • Keep in mind that the participants in APC lists change and some project lists may also include people who are not part of the APC team or the wider APC network. Therefore, make sure to not share internal information on such lists.
  • If you wish for your message to stay strictly internal, you MUST state clearly that it is internal in the body and the subject line of the message.
  • Information that is potentially compromising for you or others MUST NOT be shared on APC lists but should be sent directly to the intended recipients, ideally in encrypted format. See the next section Encrypted email communication.


Encrypted email communication

While it is not expected that staff will encrypt all communications, they MUST be able to exchange encrypted communication when needed using an OpenPGP key1. Therefore, all APC staff must be equipped with an OpenPGP-compliant application that allows them to encrypt email communication and other data. For Mozilla Firefox users, the add-on Enigmail2 is a trusted option. APC staff should use the following checklist to determine whether email communication needs to be encrypted.

  • Not all emails exchanged by the team need to be encrypted.
  • All sensitive information should be encrypted. Even mildly sensitive information, such as private details about others, or passwords to not-so-important accounts.
  • All replies to and forwards of encrypted email messages should also be encrypted.
  • The subject line of encrypted messages should be discreet, since this, along with other metadata3, is not encrypted.
  • Avoid sending attachments. If you must, and those attachments must also be encrypted, ensure your email client supports and is using the PGP/MIME encryption standard.
  • If links are pasted into an email then the email should be PGP-signed. The same goes for emails with attachments, which authenticates that neither the content nor link will harm the recipient.
  • Team members sign messages when it is important that trust be established.
  • Team members sign messages when there is a possibility that the content of the email could be compromising to someone (e.g. when specific instructions are given).
  • The most sensitive information should be inserted in email body, not the attachments.

Remember that email encryption is illegal in some countries. From countries where APC is active, these include Pakistan and Venezuela1. APC staff can consult local organisations and legal support groups to find out:

  • The legality of encrypted communication by individuals
  • How encrypted communication is being prosecuted.


Mailing lists

Each time a new person joins an APC mailing list, they MUST be announced to the list. Footers of all APC mailing lists MUST include instructions on how to retrieve information about other subscribers, so that all list members can check at any time who else is subscribed to a particular list. While neither of these conditions applies to distribution or broadcast lists such as APC News and APC Forum lists, each message of those lists must contain information about how to unsubscribe, usually in the footer. People should not be subscribed to broadcast lists without their knowledge and permission.


Encrypted mailing lists

Setting up encrypted mailing lists should be considered for projects that include very sensitive communication and where the following conditions can be met:

  • It is certain that all users of the list will be able to use PGP encryption.
  • None of the list participants resides in a country where PGP encryption is illegal or is likely to be illegal in the near future.


APC currently does not host its own encrypted lists but we plan to do so in future. When APC has the capacity to host encrypted mailing lists their usage will become mandatory for coordination of sensitive projects, such as projects dealing with Human Rights defense. There are some other activist groups that host encrypted mailing lists and can be approached (e.g. nadir.org).


General rules for using encrypted lists

When sending information that is potentially dangerous for you or other people always give it a second thought before sending. Remember that even encrypted messages can be decrypted with a single subscriber's key. If you must send something that, if connected to you, could put you or other people in trouble, consider sending it to one or more individuals directly rather than to the list and PGP-signing the message.

If you send something to the list asking others to do something for you, you MUST sign it so others can be sure that it is you!


Do not obscure the subject line or divulge secret information in the subject line. The subject line and the metadata (e.g. headers) of a message sent to an encrypted list are NOT encrypted. You SHOULD make subject line informative because messages sent through an encrypted list do not show the sender, at least not until they are decrypted.

Do not forward messages off-list without explicit permission from the sender and everyone who contributed to the forwarded thread.


An encrypted list breaks one of the most important foundations of cryptography - know who you are talking to. When you send an encrypted message directly to one or more individuals, you must encrypt it with the public key or keys of each recipient, forcing you to carefully think about who you are sending it to and ensuring it can only be opened by that person.


When you send an encrypted message to an encrypted list, you cannot be sure who is going to receive it. While we can rely on the trustworthy moderator to report new subscribers or even set-up the mail manager to report new subscriptions, by sending a message to an encrypted list you are sending your top secret message to a re-mailer that you don't control.

Online data storage and sharing

Online data storage, often referred to as “the cloud,” allows for greater collaboration and sharing of information but also introduces data security concerns since control of the data becomes shared with, or in some cases entirely handed over to, a third party. For internal sharing and online data storage, APC uses exclusively a self-hosted OwnCloud installation. All staff members MUST use OwnCloud, which works like other commercial services by installing an client1 or for use in a web browser. Use of the client and web interface is detailed in the APC OwnCloud Manual.


What should NOT be stored in APC OwnCloud

APC's OwnCloud instance is NOT encrypted. Team members MUST NOT use it to store highly sensitive data (see Appendix 2 for a definition of what is considered sensitive data).


Collaboration with external partners

Accounts on APC OwnCloud should be created for external collaborators working on APC projects. Project coordinators must request that the APC system administrator create these user accounts and any user group to which people working in a given project should be added. This safeguard prevents information from being shared with collaborators or team members for whom it is not intended. Team members must be particularly careful when sharing information with a group of users via OwnCloud. It is very easy to make a mistake when selecting a user or user group.


Shared calendars

APC uses the shared calendar feature of its self-hosted OwnCloud installation to reduce the amount of data we share with third parties. Calendars can be shared among multiple users and user groups. The platform follows the open CalDav standard, which is compatible with the vast majority of calendar and task-management applications.

OwnCloud and contact synchronisation

APC staff are encouraged to use APC's OwnCloud for backup of their personal contacts and for synchronisation across devices. This can fully replace synchronisation over gmail accounts and can help APC staff in getting their personal data off Google's servers.


Collaborative document editing

Share files in Owncloud for asynchronous, collaborative document editing. In cases when a real-time online collaborative editing is needed, use etherpads hosted by May First or Riseup. This applies both to text documents, as well as to spreadsheets.

Riseup's Etherpad: https://pad.riseup.net

MayFirst's EtherCalc (spreadsheet): https://calc.mayfirst.org


Use Googledocs only in cases when an edited document must include synchronous editing in complex formats that are not available in etherpad. Be aware that after you finish editing the document in Etherpad, you must download and store it locally. Riseup deletes unused pads after 30 days, unlike the way Googledocs are stored indefinitely.


OwnCloud 6.0 will include an online collaborative editing feature, based on open document format (ODF). The functionalities will be very similar to those provided by GoogleDocs. Once the system is available and tested, APC will start using its OwnCloud for collaborative editing of documents with complex formatting.


Instant messaging and voice

For team's instant communication, APC uses Jitsi VoIP & instant messaging client1. As of January 2014, it is the only existing open source client that provides end-to-end encrypted communication through open communication protocols (xmpp/Jabber, SIP), and is available for all major platforms. Team members must create an account on jit.si (a xmpp/jabber account provided by Jitsi developers).


Since APC uses Jitsi for calls and text messages over open protocols, you are welcome to use other open source clients to make calls through your jit.si account. However, for all types of sensitive communication, Jitsi client must be used as it is the only currently existing cross-platform client than provides full encryption.


Since most of VoIP communication outside APC takes place over Skype as the dominant VoIP/texting option, APC team members are not expected to drop Skype altogether. However, be aware that Skype is not a secure communication option and it should not be used for highly sensitive communication. always use jabber or SIP protocols (on Jitsi or other clients) when possible. Inform your communication partners about the advantages of migrating to secure open protocols and applications. If you, despite all, can not avoid having a chat over Skype, be aware that content of Skype text chats are stored locally on the machine from which you are chatting, in addition to being stored on Microsoft-controlled servers. Never chat about sensitive issues from computers that are not yours!


To make secure VoIP calls from your android mobile to other smart phones or computers, use CSipSimple1 or Lumicall2. This VoIP application for android allows use of ZRTP encryption for calls made over SIP networks. That way you can make secure end-to-end encrypted calls to other people who are using CSipSimple, Lumicall, or Jitsi.


Using wifi

Wifi encryption security has known shortcomings. If possible, APC staff SHOULD use wired connection when you are connecting from your office or home. If you can not avoid using wifi, follow these rules for establishing a secure connection:

  • Never connect to anonymous open networks.
  • Connect only to wifi networks that you trust.
  • Password protect your home or office wifi network.
  • Use WPA2 encryption (strongest) for your home or office wifi network.
  • Disable WPA/WPA2 wireless access points.

Some older hardware will not connect to an access point with WPA2 encryption. Where there is a choice only between WEP and WPA encryption, WPA must be chosen for its improved security.

Backing up data

General

According to APC HR policy, all APC staff MUST periodically back up their work-related data1, preferably to . There are a number of free and open source back-up tools that can facilitate and automate the back-up process on team members' computers and portable devices 2.

Depending on one's email client settings and whether or not you are using IMAP or POP, all emails in an apc.org inbox are stored on GreenNet servers, which are automatically backed up nightly. Some versions of this backup are kept for up to one year. However, staff are encouraged to back up their emails themselves if not only for a much quicker recovery time.

Encrypting back-up data

It is recommended that all work-related data are backed up with encryption but there are types of data one doesn't need to encrypt such as documents that have no sensitive nature. There are a number of available open source tools that convert external hard drives or memory sticks into encrypted drives. Data backed up on CDs and DVDs should be encrypted prior to burning1.


Using cloud storage

Backing up sensitive data in the cloud, or simply on a networked server, is generally not recommended due to the lack of control one has over a third-party cloud service. However, if you cannot avoid using cloud services for back up, use one that you trust, like APC's OwnCloud.


Data on external devices

For principles of storage and management of data on portable devices, follow the section Secure data handling and sharing. Portable devices are particularly vulnerable to being compromised through loss or confiscation of the device or malware infection. Transporting sensitive data in hostile environments When carrying sensitive data in situations where associating such data with its carrier would be highly compromising, APC staff SHOULD:

  • Hide such data on your portable device in a secret encrypted drive1, or
  • Hide such data inside another, seemingly innocent type of data using steganography. techniques

Virus protection

Every APC staff member is required use and periodically update anti-virus software on their computer. This applies also to staff members whose operating systems are currently not vulnerable to virus contamination, such as GNU/Linux or MacOS. Whether one's computer is directly infected or not, choosing to not use any anti-virus software can lead to spreading viruses by email or portable media among colleagues and collaborators, which represents a potential security threat. It is recommended that Windows users use the open source anti-virus software Clamwin with the Clam Sentinel add-on1. However, most free versions of commercially available anti-virus software provide very good protection as well, so the choice of anti-virus application is a personal one. See “AV comparative table” on Wikipedia for a list of details and features2. GNU/Linux and MacOS users are encouraged to use the open source Clamav anti-virus software. Other recommended anti-virus applications for Mac are Sophos (freeware) and ClamXav (free).


Malicious Scripts and Web Browsers

It is highly recommended that team members configure their browsers in such a way so as to minimise risks of downloading and executing website-embedded malicious scripts.

Recommended extensions for Firefox and Chrome browsers are:

Firefox: NoScript, BrowserProtect, BetterPrivacy1

Chrome: NotScripts2.

Note: Some of these extensions might inhibit some functionalities based on JavaScript, e.g. Facebook chat.

Dealing with sensitive data

Collecting sensitive data

For collection of personal data, APC is generally guided by terms 1-7 of UK data protection principles, without those being binding in any way legally.1It is the responsibility of project managers to ensure that plans for handling sensitive information such as logistics details like passport numbers are complied with. In messages in which we ask others to submit their data, in introductory pages of online surveys, etc., project managers must clarify what they will do with sensitive information, with whom it will be shared and for how long it will be stored. This applies to hard copies as well as data stored on desktops, files servers or online. When collecting sensitive personal data (e.g. logistics-related information), the project manager who is in charge should develop brief documentation that outlines how will the data be used, whether and how it will be shared and when it will be deleted from the APC server or local databases. If the data will be stored for later use (e.g. for the APC contact database) it must be clarified in the documentation which data will be stored, in what format, if it will be encrypted or whether and when it will be erased.

Data that are considered even mildly sensitive MUST be collected using APC's LimeSurvey online survey tool, encrypted email communication, or other secure and encrypted means. Data that are not considered sensitive can also be collected using LimeSurvey as well as email questionnaires or by other means that facilitates data collection and manipulation.

When collecting sensitive information with LimeSurvey, the person responsible for the integrity of the collected information should assure that:

  • No one besides selected team members and the APC system administrator has access to the collected data.
  • Survey results are deleted from LimeSurvey database as soon as they are processed.


Secure data handling and sharing

Encryption is particularly important in the case of data that contains private, personal information or information that could be compromising to you or other people. There are a number of ways in which data can be encrypted, for example with your OpenPGP key or with a standalone encryption application (see the section Encryption for more details). Data can be also stored in a secure, encrypted database such as KeePass1 (see the section Passwords).

To share such sensitive data with others over the internet, APC staff MUST encrypt it with the recipients' PGP key before sending. For particularly sensitive data it is better to share it as a Keepass database and to communicate the password by phone or an encrypted voice call, e.g. over a Jitsi call.


Application choice

Free and open source software is generally more secure than proprietary software. Mainstream operating system applications whose code is regularly reviewed by independent reviewers are a guarantee that they do only what they are supposed to do and do not perform any other actions, such as unwanted collection of user data.

APC staff SHOULD consider using one of the many open source operating systems. Particularly, Ubuntu (GNU/Linux) users can find solid support from other APC team members and there is ample experience with other GNU/Linux distributions within the wider APC community. GNU/Linux facilitates secure data handling and storage very well 1. Users of proprietary operating systems can nevertheless use open source software for most of their computing needs, which significantly improves the safety of their data and hardware.

Email client

One of the best-supported and most feature-rich email clients currently available is Mozilla Thunderbird2. Thunderbird works with Windows, Mac and GNU/Linux and it is widely used and supported by APC team and members.

Web browser

Mozilla Firefox1 is one of the most feature-rich, extensible and secure internet browsers. As compared to Internet Explorer (IE), it also supports a wider range of industry-accepted protocols such as HTML5. Using Mozilla Firefox with the appropriate add-ons or plug-ins will make your internet browsing significantly safer. See the section Secure Internet browsing for more details. Another recommended browser for GNU/Linux users with KDE desktop environment is Konqueror.

Those team members who cannot avoid using IE (e.g. because it is required for administration of APC finance system) SHOULD use Sun's Java Virtual Machine (JVM), not the insecure Microsoft JVM environment2.

Office suite

Despite occasional compatibility issues with open source alternatives, Microsoft Office is typically not needed for APC work or most other office tasks. Since APC team shares documents in open document standards (ODF), team members MUST install LibreOffice or other office package that supports open format standards1. If you can not avoid using Microsoft Office applications, saving and sharing documents in odf format is recommended for compatibility and also as a means to avoid embedding malicious content.


Instant messaging, audio and video conferencing

Jitsi is the main VoIP chatting application used by APC team. Team uses jit.si xmpp/jabber service as the main service where all APC team members have to create an account (see Instant messaging, chat and voice section for more details).


Anti-virus, anti-spyware and back-up applications

For recommendations on application choice, see Virus protection and Backing up data sections.


Other software

There are reliable, free and open source software (FOSS) applications for all of your computing needs. Well-supported projects with rapid development include Gimp1 for image manipulation, Audacity for audio editing, Open Shot Video editor, Scribus for desktop publishing and many others. If you are using proprietary software and you are interested in replacing it with a FOSS alternative, ask the APC team mailing list or look up an alternative on www.osalt.com.


Document sharing standards

Unless there is a specific need to use a proprietary format (e.g. use of automated donor forms designed in Microsoft Word), APC team members MUST share documents in open format standards1.

The reasons include greater compatibility, accessibility and also security, since documents in open standard formats are less likely to execute malicious scripts on your computer.


Passwords

[Basic information and why you shouldn't use the same password for everything]

If any team member cannot remember all of her/his passwords, s/he SHOULD use reliable password manager! A reliable open source password manager is Keepass, which is available for all platforms, including those used by most smartphones1. This will decrease the risk that your passwords or other sensitive information will be compromised, e.g. through an infection by spyware software, and allow users to:

  • Carry passphrases encrypted on a portable device, between devices
  • Store passwords securely in an encrypted format
  • Store passwords along with other sensitive data such as private PGP/GPG keys, credit card details, sensitive documents, images


Web browser password managers

Storing passwords directly in your browser's password manager is very risky, because the passwords are stored unencrypted and can be easily recovered by anyone who gains access to your computer, including both physical access and remote access, for example via a spyware program.

Instead, use the above-mentioned standalone password manager to copy and paste passwords into online forms with just a few clicks, without exposing passwords in a way that they could be identified by spyware applications. Some password management applications allow integration with your browser, so the passwords that you chose to store in your browser are automatically and securely handled by the standalone password manager1. Secure web browsing Using https protects APC staff not only from eventual echelons who might want to monitor what content they are accessing, but also from intruders intercepting passwords and other sensitive data when they are transferred unencrypted. Particularly if you cannot avoid connecting to a public wifi network, the risk of interception of unencrypted communication and leakage of your passwords is extremely high.

Team members MUST take the following measures (depending on the web browser they use):

  • Install the Https Everywhere extension for your browser, available for Mozilla Firefox and Google Chrome.2
  • Check the security/privacy preferences of your browser and if such option is available, choose connecting via secure connection (https).
  • For third-party services that you use for APC-related work, such as Google, Facebook and Twitter, , look for and enable the “always use secure connection” option in the preferences of your account. You did this successfully if the next time you connect to given service the URL of that particular service start with https (secure/encrypted http). You SHOULD do this for all your online services that offer this option, thus minimising significantly the chance that someone will hijack your account.

When connecting to above-mentioned third-party services from a portable device such as phone, avoid using specialised “apps”. These usually communicate with the service through an unencrypted connection regardless whether or not you configured your browser-based service to always communicate via https. When possible, use these services via your mobile browser.


Online privacy

Basic privacy measures when browsing online

When browsing the internet, the user leaves many traces behind on visited websites as well as on the computer one is using. Browser extensions also make it impossible for visited services to ‘profile’ you based on your online behavior and monetise this information. The following extensions/plug-ins enable APC staff to prevent unwanted parties from tracking them:

  • Firefox: BetterPrivacy, Ghostery1
  • Google Chrome: Ghostery, Disconnect.


Anonymous browsing and circumvention

Those team members who need to connect to websites anonymously, or who need to access websites that are blocked in their countries SHOULD use an anonymisation software such as TOR 3. Users of Android and iOS-based portable devices can install Orbot – an implementation of TOR for portable devices and Orweb (browser that enables anonymous web browsing using TOR service)4.


Other anonymous communications

Use of TOR is also recommended for other communication that is generally legitimate and ethical, but conflicts with legislation of the country from which the communication is made, or in cases when associating the communication with team members might put them or other people at risk. All staff's connections to the internet can be anonymised if needed by routing them through TOR including chat, email, P2P networking.


Generating and sharing images, video, audio and digital stories

APC work dealing with to audiovisual (A/V) recordings and digital stories is governed by following policies:

Informed, verbal consent MUST be obtained from anyone whom APC staff member records on audio or video, unless such recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.

Informed, written consent with using images or A/V recordings on APC websites or for other purposes MUST be obtained in writing from all individuals who are captured in that material. Unless these individuals clearly licence APC to re-purpose such material freely in the future, such consent must be requested and granted every time APC plans to use the material.

If images or A/V material that includes one or more individuals is to be stored on team member's equipment or APC's online spaces, it MUST be accompanied by the documentation on how the material can be used in the future.


Storing A/V material and images

Principles described in the section Dealing with sensitive data apply fully to audiovisual material and images containing work-related footage, pictures, or audio recordings of other people. Such material MUST NOT be stored on third-party online services, e.g. Flickr, Facebook. APC's OwnCloud may be used for storing work-related A/V material and images of other people only when such material does not contain compromising information.


Sharing A/V material and images

A/V footage or pictures of other people MUST NOT be shared with people outside the APC team without consent of those who have been photographed or filmed. Such material may be shared with colleagues n APC team for specific purposes. However, the material MUST be accompanied by sufficient information on how it can be used and whether APC was granted permission for any public display of such footage or images.


Phones and Other Portable Devices

All points of this policy apply to mobile phones and other portable devices in the same way as they apply to personal computers, as long as they are used for work-related communication or as a storage device for work-related data.


Threats Resulting from Social Engineering Activities

A frequently used strategy for extracting sensitive data is social engineering. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information1. The only possible defense is awareness and sound judgment when dealing with suspicious communication.

If a message is suspicious, even when staff members know the alleged sender, attachments should not be opened and clicking on links included in the messages should be avoided. Even some massively distributed fraught messages are designed in a way that makes the content look trustworthy and sender to seem like someone who knows the addressee. Hijacking of Skype and social networking identities is another common method of information extraction. When sharing sensitive information, team members MUST confirm the identity of the person they are sharing with.

APC staff MUST NOT disclose any even mildly sensitive information to any unknown person or anyone whose identity is in doubt. This is particularly important in case of team members who are involved in human rights work. Leaking sensitive information to an impostor can result in unrepairable damages.


Managing Organisational Infrastructure

The following principles apply to management of organisational infrastructure:

General

  • Administrative passwords to all APC mailing lists will be changed twice a year.
  • Only the APC systems administrator and one selected team member have access to recordings of online meetings in APC's online meeting system.
  • Only APC system administrator, technical support and the communications manager have superadmin privileges to APC servers, including FTP access, database manipulation, OwnCloud administration, content management systems, and other server applications. When needed, the APC system administrator can grant specific privileges to other team members, but this MUST be documented and such privileges should be downgraded as soon as this access is no longer needed (e.g. end of a specific project).
  • Only the APC system administrator and the executive director have administrative privileges to make changes to APC-owned DNS records.


Staff exit management

  • When a staff member leaves APC, their access to private lists and online spaces is deactivated within two days, unless there are specific reasons why such access should be maintained. Posting privileges to some of the lists might be preserved, if needed.
    • APC system administrator is responsible for disabling ex-staff's access to lists and their access to other spaces and systems.
    • The staff member responsible for administering staff's contacts in APC's contact database must make sure that exiting staff member is removed from the “APC Staff” contact group.
  • When a staff member leaves APC, their administrative privileges to lists and spaces are handed over to their supervisor or to a person(s) previously identified by the supervisor. This MUST happen before such staff member leaves.


Agreement with organisational partners on sensitive information

When a new project starts, the project coordinator SHOULD sign an agreement on information sharing principles with all project partners. This agreement should include:

  • List of all expected types of information that will be exchanged between collaborating organisations and which of those types are to be considered sensitive information.
  • Details on how sensitive information will be exchanged and what exact security measures will be taken to protect the information (e.g. Sending encrypted email, exchanging encrypted databases, using secure voice communication).


Activity-specific security policies

When organising an event that is of a sensitive nature such as when participants' identities must be kept private, a specific security policy MUST be in place and participants must be informed about it. It must address:

  • Principles of communication on coordination lists or email loops (e.g. Do people disclose their identity? How much should they share about themselves and their work? Which email addresses should they use for such communication?).
  • Principles of sharing information about the event outside of the event (e.g. Can they inform others that they are attending the event? If so, who can be informed and who cannot. Can people tweet from the event?).
  • A/V documentation (e.g. Can people take photos or make audio or video recordings? Can these photos and recordings be shared? How and with whom?).
  • Access to information about venue and participants (e.g. Who has access and where is it stored?). This includes all documentation from the event such as notes, photos, audio and video documentation.
  • Reporting from the event (e.g. What will be included in the report? Who will have access to the report? Will donors receive detailed information about the event?).


Online Databases and Access to Servers

When designing online databases that are meant to host sensitive content such as personal information, the following rules must be followed by the server administrator:

  • The database web browser interface will be hosted on a server that is separate from the server where the database is hosted.
  • Data-at-rest must be encrypted. A system must be put in place that automates this or facilitates management of such encryption.
  • All data for all websites, both external and internal, must be retrieved and posted using a secure connection and a secure protocol such as https.

Only SFTP and SSH protocols are permitted for direct access to APC servers.