Featured image: A journalist takes a snapshot of the December 3, 2015 Black Lives Matter rally at Minneapolis City Hall.

Today, on Human Rights Day, we focus on the importance of digital safety for human rights defenders around the world. In an increasingly digitally connected world, it is even more crucial for human rights defenders – whether activists, journalists or aid workers, to be safe online as they fight for the rights of marginalized and oppressed groups.

One of the organizations working to keep human rights defenders safe online is Security First. Established in 2013, Security First aims to make it easier for human rights defenders (HRDs) to work safely. We spoke to the co-founder, Holly Kilroy to learn about their work and their latest app, Umbrella.

What led to Security First?

My co-founder, Rory Byrne and I have both worked in the human rights sector for over ten years and, unsurprisingly, faced many challenges, but the primary one was always security.

Both of us have been thinking about the problem of simplifying security for human rights defenders for the past 7 years, since our work in Sub-Saharan Africa establishing and running human rights video organization, Videre, altered us to the gap between need and existing tools when trying to secure our partners.

As well as building the app, Umbrella, we also provide security training to groups ranging from the largest human rights, media and aid NGOs in the world to individual LGBT activists on the ground.

Why the need for an app like Umbrella?

While there are a number of instrumental tools for the security of HRDs, collectively, they face a number of problems.

  • Dispersed: It is difficult for HRDs to keep on top of all the various tools and advice available and to know what to use/do when.
  • Complex: Many are designed for users who are adept at IT.
  • Fail to address digital and physical security holistically: Existing tools and resources focus on either digital or physical security, but fail to link them together in a cohesive strategy.
  • Unavailable on mobile devices: The many tools or content available only on websites or in PDFs mean they often remain inaccessible to the growing numbers of people in the developing world accessing the Internet solely via mobile devices. (e.g. 70% of the internet users in Egypt, 60% in India)

So we wanted to build a simple, easily-accessible tool that brought together digital and physical security, and helped human rights activists implement it in a really user-friendly way. We’re basically building the tool we wish we had ourselves.

Tell us a little more about Umbrella

If you’ve got a security problem, Umbrella will help you find the solution.

Umbrella app

Umbrella’s content has been sourced from best practice security manuals and digital security guides, and provides practical advice for everything — from how to make a secure phone call or protect files, to counter-surveillance or what to do in case of arrest.

Lessons give simple step-by-step actions of what to do in any given security situation, and show the best tools for it.

Levels allow users to choose their level of ability and also get answers that reflect the level of risk or the type of protection needed.

Checklists help mark the user’s progress and share with colleagues what actions have been implemented or have yet to be done.

Tools recommended in the lessons can be tricky, so a tool-guide gives step-by-step help on how to set up and use the tools suggested.

A dashboard provides real-time updates on possible security threats, and alerts the user if there is anything in the vicinity that she/he should be aware of – from physical security risks like protests or kidnappings, to environmental or health security risks like floods or disease outbreaks.

Umbrella is free, open-source, and has cleared a security code-audit – it doesn’t track users’ location or take any personal data on them. Once the app is downloaded it can be used without data – the only feature that needs Internet access is the dashboard.

What has been the response to Umbrella?

This iteration of the app launched into public Beta stage testing in October 2015. After just a few weeks, Umbrella has 800 users and growing, and 96% of reviews on Google Play are five star.

A preview of Umbrella

A preview of Umbrella

The response from the human rights and tech communities has been brilliant. They’ve been so welcoming and supportive.

One Iranian journalist and trainer who must remain anonymous for security reasons said,

“Umbrella is very useful for my work. It really helps me as an individual and a trainer. It keeps me to up to date on the go. It also keeps me updated with the newest tools, which is hard to do with my busy job. Based on my own experience it can help my students effectively learn how to protect themselves – from whatever may threaten them.”

Matt Timblin, who is Director of Security at Human Rights Watch, said,

“Managing the safety of staff and collaborators in insecure environments, across multiple locations and facing an array of threats can be challenging. The prospect of an easily accessible ‘one stop shop’ app, such as Umbrella, that allows quick access to security advice is an exciting and innovative development in helping improve the security of those working as human rights activists, humanitarians and journalists around the world.”

What are you hoping to see Umbrella achieve in the next year?

Security First is now looking to improve and build upon Umbrella in a number of ways. We want to:

1. Increase Umbrella’s functionality
We want to add several functions to Umbrella: We want to help users streamline the process of preventative planning through sharable planning forms; We want to improve users’ awareness of the specific risks they face by improving the dashboard functionality; We want to integrate existing tools where practical and safe to do so; and we want to allow for greater tailoring and customisation throughout the app.

2. Broaden Umbrella’s access
Clearly, at-risk human rights defenders reside in more than English-speaking countries – we want to broaden access to as many languages as possible. We have already had requests for translation into many languages, but for practicality’s sake, we will begin with Arabic and Spanish before considering other languages. We also want to make sure that those with using desktops can also use Umbrella. We plan to create an iPhone version of the app once Umbrella 2.0 is complete.

3. Improve content and usability of Umbrella
We want to ensure that each how-to guide is as clear, concise, intuitive and tailored to users in the field as possible. While the existing app is highly functional, we want to make sure it is a pleasure to use, so as to encourage retention. We obviously need to ensure that content remains up-to-date and relevant. We also want to improve the system for users contributing to and collaborating on content.

Have you tried out Umbrella yet, what did you think? You can let Security First know by tweeting @_SecurityFirst. If not, you can test out Umbrella on Google Play. If you know of other tech tools for the digital safety of human rights defenders, comment below or tweet at us @TechChange.

Holly Kilroy

Holly headshot
Holly Kilroy is the co-founder & Head of Org Development at Security First. She has spent the past eight years building projects that leverage technology and civil society coordination to address issues of human rights and conflict. Holly previously worked as the Emerging Powers Coordinator at Crisis Action where she launched and led the emerging powers program, providing direction for both organizational growth and campaign traction across the BRICS. Prior to this she helped set up Videre, where she spent four years as Head of Development, framing the need for safer, more effective video documentation and helping to launch projects around the world. Holly has also served as the International Officer for Irish Labour Youth and worked in communications for CSOs in Israel, the Occupied Palestinian Territories, and the UK.

Featured image credit: Tony Webster Flickr Creative Commons License 

We are excited to introduce Robert Guerra as a co-facilitator in our upcoming course, TC114: Basics of Digital Safety. Robert is the founder and executive director of Privaterra, a Canadian based organization working with private industry and NGOs to assist them with issues of data privacy, secure communications, information security, internet governance, and internet freedom. Robert will be joining Norman Shamas in facilitating our upcoming course. We wanted to give you a little sneak peek to the course so we chatted with Robert:

Q: How do you define/think about digital safety?

R: I define digital safety simply as a set of steps, processes and mindset one should follow to keep one’s devices, data, communications and online interactions as protected and private as possible.

Here’s some key tips that I always mention to reduce digital risks:

#1. Be Aware!

When really wanting to keep yourself secure online or anywhere else is important to be mindful of your environment. It the most vital thing you can do.

Understand that there are many out there who are looking for simple chances to attack and steal your valuable assets. A common target will be an individual who does not take any precautions and might be intimidated by the internet and/or digital devices.

You wouldn’t leave your car door open with the keys in the ignition and the engine running, would you? Certainly not, as you run the risk of having your car stolen and driven away by someone who notices you aren’t around.

Are you taking the same precautions when using a mobile phone or using the internet? if you are, then you could be said to be doing something to protect yourself online – you in a way, implementing a digital safety practice of some kind.

#2. Guard Your valuables!

Activities that involve far more valuable, sensitive and confidential assets require one to take additional precautions. Not taking any precautions is an invitation for a burglar to target you.

Would you openly share the key to your safety deposit box where you keep your valuables and very private documents? Obviously not. However, do you take the same precautions to protect your online banking accounts, private photos, sensitive contacts on your devices?

#3. Plan for the worse, hope for the best…

Not a day goes by without some news of a retail store or online site being hacked and thousands of accounts being compromised. Attacks are increasingly unavoidable, so it is important that one has contingency plans in place to react to all sorts of possible incidents and attacks.

The worst might not happen, but if it does – you will know how to react quickly and perhaps be able to minimize the situation from getting worse.

Q: How did you get involved in the field of internet security?

R: I got seriously involved in the field of internet security back in 2001 when started a small Canadian NGO to provide encryption training to Human Rights NGOs in Guatemala and South America who were reporting that hard drives were being stolen, sensitive documents were being compromised and emails were being intercepted.

You could say, I was assisting at-risk groups who were reporting serious issues related to data breaches, surveillance and hacking almost 13 years before Edward Snowden raised the profile and importance of the issue.

Robert speaking
Robert talks about what Privaterra and other organizations are doing to help identify and mitigate security vulnerabilities faced by Human Rights Organizations.

Q: Why is digital safety especially important for NGOs and organizations working with social justice issues?

R: NGOs and organizations working with social justice issues often deal with confidential and very sensitive data in the course of their work. This data if not adequately protected, can lead to very serious consequences including death.

These groups, as stated by the targeted threats report published last year by the Citizen Lab, also face persistent and disruptive targeted digital attacks. Unlike industry and government, however, NGOs have far fewer resources to deal with the problem.

Q: What are you most excited about for the Digital Safety course?

R: I’m excited to work with Norman and the team at TechChange to help leading organizations better understand digital security and what can be done to raise the bar. We’ve worked to put together a great curriculum, some great resource material, and invited leading experts to share their amazing experience to improve the security of at-risk groups around the world.

Q: What kind of conversations are you hoping to facilitate in the course?

R: I’m looking forward to facilitating a conversation among the course participants and invited experts on security challenges currently being faced by NGOs and what steps we can taken together to improve protection methods and organizational resiliency.

As well, I’m also interested in promoting a conversation and discussion about tools, best practices and resources that can be easily implemented to not only help individuals and activists but also social justice organizations working to promote human rights and democracy promotion in at-risk environments.

We are really excited to have Robert co-facilitating this course with Norman Shamas! We already have around 40 participants joining us. There is still time to enroll in the course. Apply now. Course begins August 17, 2015.

About Robert


Robert Guerra is a civil society expert specializing in issues of internet governance, cyber security, social networking, multi-stakeholder participation, internet freedom and human rights. Robert is the founder of Privaterra, a Canadian based organization that works with private industry and nongovernmental organizations to assist them with issues of data privacy, secures communications, information security, internet governance and internet freedom. Robert collaborates with the Citizen Lab and Canada Centre for Global Security Studies at the Munk School of Global Affairs at the University of Toronto.

While many people were watching the final match of the Women’s World Cup last week, the Hacking Team was hacked. Hacking Team, an Italian digital security company, provided surveillance software to law enforcement agencies. Their clients are government agencies, but they have been accused of selling to oppressive regimes, despite embargoes like the Wassenaar Arrangement. Last week’s hack proved that they have in fact sold software to Sudan and a number of other oppressive regimes, including Ethiopia, Azerbaijan and Saudi Arabia.

Why should you care about these hackings? And if a digital security company can get hacked, what can you and I do to prevent ourselves from becoming victims as well?

The power of a strong password is not a myth
Passwords are an important aspect of digital safety because they act as a form of authentication, often times as the only method. It’s important not just for individual accounts, but also for bigger organizations. So, how strong were the Hacking Team’s passwords?

Apparently, not strong enough. Their Twitter account was hijacked and used to spread the cache of files published in the hack. The Twitter password was one of many passwords that were stored in files that anyone with access could read (i.e., in plain text). I can presume this was how their Twitter account was compromised.

Poor policies around how passwords are selected and stored are what led to the publishing of passwords for the Hacking Team and one of their software engineers, Christian Pozzi. As lampooned by security professionals on Twitter, the majority of the passwords Pozzi used were variations on the word ‘password.’

What’s the major takeaway here? That the best practices of choosing strong passwords, not reusing passwords and storing them safely are just as important as we’re always told.

A strong password isn’t enough: Get to know your software
With the exception of having a long password, not everyone agrees on what constitutes a strong password. If you know your password has been compromised, you can be notified and immediately change it. But not all threats to one’s digital data are as transparent and easy to address. You especially need to be aware of what kind of software you have installed on your computers.

Hacking Team Hacked blog photo

In the world of cyber warfare, there are holes in software that are discovered but remain undisclosed and unpatched. They are known as “zero-day exploits” (0-day) because they are released on or before the day an exploit is publicly revealed. It essentially means that some person or some organization/agency might be able to install malicious software without you, the software provider, or any defensive software (e.g., antivirus) knowing.

This issue is serious because there is a thriving market where people can purchase these exploits, which disincentivizes security researchers from disclosing their findings.

Hacking Team used 0-day exploits to hide their surveillance software. As of today, three 0-day exploits for flash have been revealed from Hacking Team’s files. How can you avoid this yourself? Always make sure that you upgrade your flash player and keep it updated. Or better yet, consider having it set to run selectively by using the option “click to run” when on a website that requires flash.

The more software you have installed (especially out of date and/or unnecessary software), the more chances there are for exploits to be used to compromise your system. This is even truer on mobile phones, which receive fewer software updates.

In addition to removing unnecessary software and keeping necessary ones updated, it is crucial to understand the limitations of software you are using. While not a new vulnerability, Hacking Team also had a Skype decoder to listen in on Skype calls. The published files revealed that they had this software from around 2006. Understanding the software you are using is essential to prevent having a false sense of security.

In the now immortal words of the Hacking Team “If your company hasn’t been #hacked, it will be.”

If your organization works with personally identifiable data,it is crucial to make sure the data is safe. Learn more about digital safety in our brand new upcoming course, Basics of Digital Safety. The course begins on August 17, lock in early bird rate now!