Digital protection is the first step to any good investigation. In fact, protecting yourself when conducting online research is more important than the results of your investigation, because failing to understand and mitigate digital security risks can put you, your partners and your sources at risk. So, before you undertake any online research, take a few minutes to think through how you and the way you conduct your research may make you vulnerable to attacks from external parties.
It is important to remember that if you are a publicly-known human rights defender or your investigations are considered high-risk, taking important steps to protect yourself is even more important. “High-risk” will vary depending on your circumstances but in the case of corporate crime investigations be aware that companies – especially those that have close relationships with governments – have access to extensive digital technology and tools to track research being conducted on them or their affiliate entities. When in doubt, consider any investigation into corporate wrongdoing as high-risk and take all possible precautions by implementing more secure practices and tools.
Digital protection is the first step to any good investigation.
1. Do no harm
Before we turn to how best to protect oneself, let’s stop and reflect on how to make sure we protect others – those whom we work for, our partners, our sources, etc. The principle of do no harm must be integral to any investigation, even if that raises complex ethical questions during our research.
“Do no harm” is the duty to protect the physical, social and psychological well-being of those we work with and for. No research is worth putting peoples’ lives or safety at risk. All judgements regarding harm should be made on a case by case basis in consultation with participants, local partners and/or contacts. Respect individual’s informed decision on the amount and type of risk they are willing to take. Tactical Tech has an excellent piece on how an online investigator can incorporate the “Do no harm” principle.
2. Introductory resources to digital protection
It is time for the basics on digital protection. The first step we recommend you to take is to assess your current digital risks. Two tools in particular can assist you in quickly identifying your digital security vulnerabilities:
- In just a few questions, the Security Planner (developed by The Citizen Lab and Consumer Reports) will provide you with personalized online safety recommendations.
- The Ford Foundation’s Cybersecurity Assessment Tool is designed to measure the maturity, resiliency, and strength of your cybersecurity efforts. According to the site, you need 30 minutes to take this survey.
Several NGOs have developed extensive guides on how best to protect yourself when conducting online research, as well as in your everyday use of your mobile, laptop and other gadgets. Some of these are included below. If you have questions on these tools, contact the developers.
- Digital First Aid Kit (DFAK): Developed by the Digital Defenders Partnership, this Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies, such as: devices or data loss, devices and accounts acting suspiciously, websites not working, online impersonation, and online harassment. The DFAK can also be used by anyone who wants to learn more about how they can protect themselves and support others. The DFAK is available in English, Spanish, Portuguese, Arabic, Russian, and French.
- Surveillance Self-Defense (SSD) is a guide to protect oneself from electronic surveillance. Some aspects of this guide will be useful to people with very little technical knowledge, while others are aimed at an audience with considerable technical expertise and privacy/security trainers. The guide touches on a wide range of topics, from how to protect yourself when attending a protest to how to use Signal on IOS.
As The Citizen Evidence Lab warns us, open source information about human rights abuses can frequently be graphic and deeply disturbing. In order to know how best to look after yourself, check these tips on what each investigator can do when working with potentially distressing open source information.
4. Online anonymity: TOR browser and VPNs
You’re investigating a corporate target and you’re doing so without knowing whether you’re being traced online. Stop and consider that the browser you’re using is sharing information about you each time you visit a new site. One key way of ensuring your online anonymity is to use the Tor Browser. According to the Tor website, using their browser will keep websites from tracking you or will allow you to connect to news sites or instant messaging services blocked by your local Internet providers. According to Tor, it works “by encrypting your information and relaying it through Tor’s system of servers (called a circuit), so that your ISP can’t track your activity. Different tabs originating from the same website will all be loaded through the same circuit.”
Note, however, that Tor can slow down your research or prevent you to access certain pages that block Tor visitors.
If you choose not to use Tor, another option that will help you preserve your anonymity is the use of Virtual Private Networks or VPNs. VPNs work by disguising your IP address, which can be used by websites you visit to map where you are coming from. When using a VPN, rather than seeing your real IP address, sites you visit will see the IP of the VPN provider.
There are many VPN options and it can be confusing when deciding which one to pick. To add to the confusion, most VPN reviews and listings are not independent. While most free VPNs should be avoided because they are often funding their operation by selling their log data (records of what sites users visit via the VPN), paid options tend to be preferable (and can be engaged for minimal cost).
5. End-to-end encrypted communications
You’ve likely already heard of end-to-end encryption, but in case you haven’t, it is essential that you embed it in all of your confidential communications. Basically, and without getting too technical, end-to-end ecryption ensures that your message (email, chat, etc.) is protected while it travels to the recipient making it impossible for a third party to hack it while it is traveling. Once the recipient receives it, the message is decrypted and can be read.
There are many free, end-to-end encrypted email providers. Some of the more popular service providers include ProtonMail, Tutanota and Hushmail. The best way to protect your emails is that both you and the recipient of your email have the same email service provider — although it is not necessarily required (each service provider addresses this through different means).
Group Chats & Conferencing tools
Chatting on your phone or joining online conference calls also raises risks that can be addressed by end-to-end encryption technology. Front Line Defenders has developed a quick guide on how to “Secure Group Chat and Conferencing Tools”, which provides a simple helpful overview to choose the right tool for you.