This session is based on a guide developed by Indira Cornelio for SocialTIC.
Explain to participants that the intent of this session is for them to identify digital security solutions they can implement for safer online campaigning activities. They won’t need to immediately implement these during the session, however - the goal is for them to begin a process of exploration to identify what will work best for their individual contexts and campaigns.
Ask participants to share any examples of online campaigns they are aware of – are there any emerging trends in how these campaigns are implemented that they can identify?
Remind participants that, when it comes to mounting their own online campaigning and advocacy efforts, they should keep in mind the information and adversaries they identified during the Who Do You Trust? exercise. As campaigns are, by nature, very public efforts, they should be extra aware of who could potentially be monitoring them, or who might potentially pose a threat to them.
In the context of their own work, suggest to participants that when it comes time for them to begin the planning phase an online campaigning effort, they should work with their team(s) to answer the following questions:
Answering these can help them plan preventative measures against possible threats more strategically – highlight to the group that they can even prepare messaging in advance for possible scenarios that emerge from the responses to these questions. Also, remind participants that even envisioning the best-case scenario of the campaign is helpful for planning preventative measures – for instance, how would they prepare for the possibility that, if the campaign is successful and becomes quite popular, their website is unable to handle a sudden surge in traffic and goes down?
Now, explain to the group that during the next parts of this session, you will be providing guidance and recommendations on digital security practices useful for online campaigning efforts (if possible, depending on how much time you have to work with, allow participants to visit recommended tools’ websites).
Ask participants if they use their own personal devices for campaigning (versus a “work” device) - how much campaign related information they store on these devices? Are they connected to email and social media accounts as well?
Here are some topline practices to recommend to the group for device protection:
Online campaigns often require multiple users to be able to access the same online accounts (or devices, in some cases). Access to a device or account by multiple users with the same credentials represents a significant increase in risk; however, by taking some preventative measures, participants can substantially reduce the likelihood of these risks becoming direct threats:
For all shared online accounts and devices, limiting the list of those with access to as few people as possible is among the most critical first measures to implement; another is to make sure that any protocols or procedures put into place (especially regarding the following recommendations) are followed regularly and consistently;
For online platforms in particular, all team members with access should make sure to regularly check history and activity on shared accounts – for example, on Gmail/Google accounts, they can check the history of recent log-ins (and set alerts for suspicious activity) under “Last Account Activity”; likewise, for Facebook, they can go to the shared account’s Activity Log to check on recent activity;
Apply basic strong password practices for all devices and accounts that will be used for a campaign. Secure password storage managers like KeePass/KeePassX allow individual database files of account passwords to be created, which are in turn protected by a master password; likewise, for accounts like Google, Facebook and Twitter, enabling two-factor authentication provides an additional layer of access control and is highly recommended;
If a password needs to be shared between team members, but can’t be done in person, sending passwords over encrypted email - with GPG or using a service like Tutanota or over encrypted messaging (using Signal on a mobile device) are safer options – if using Signal, make sure to set a protocol with team members about deleting messages with passwords from their devices as soon as they are received.
Participants should be aware of the implications of using Facebook (or other large social media platforms) could be for their own identities online – to limit their exposure, they should create dedicated profiles specifically for administering pages, rather than using their own personal profiles;
Note, however, that it is now possible to receive Facebook notifications that are encrypted using a public GPG key to an associated email account – this can be useful for WHRDs who want to take further measures to separate their work and personal identities online while managing campaigns;
Those who are managing campaigns online should be very deliberate about the kinds of information and communication they share with online platforms like Facebook - there are past examples of campaign Facebook pages and profiles being infiltrated by adversaries, making it necessary for administrators to close them down (or, pages are forcefully shutdown by the platform because of reporting by adversaries)
This could represent a significant setback to campaign and community building progress, so highlight to participants the importance of having alternative communication and organizing channels – these could include: