No 35, April 2008

DIGITAL SECURITY FOR ACTIVISTS

Guarding against the loss of information

Wojtek Bogusz, digital security consultant, Front Line & Dimitri Vitaliev, co-author, Security Edition of NGO in a Box

The information stored on your computer (sometimes years of work) can be lost in a myriad of different ways. Don’t wait until your computer crashes to think about backing up your information. You need a structured backup policy that reflects your current situation, including the types of information you have stored, and how to recover that information in an emergency.  

This is the fourth article in a CSW Monthly Bulletin series [1] highlighting practical ways you can increase your digital security and privacy. All the articles are a part of the updated second version of the Security Edition of NGO in a Box [2], currently under development.


Introduction

Today, more than ever before, we depend on information - email sent or received, documents, testimonies, pictures, databases and so on. Try and imagine what you or your organisation would do tomorrow if all this data were to disappear. We also store a large part of this information on computers, mobile phones and other digital devices. Virus attacks, hackers, electric short circuits and spikes, water spillage, theft, confiscation, demagnetisation, operating system failure, hardware failure, or simply loss of a device due to fatigue and absentmindedness can all lead to a sudden loss of data. 

Common Misconception:

Our IT guys are looking after the backup.

Answer: You are responsible for protecting your own data and surviving its loss. IT personnel should not be relied upon to know where you keep all your data and what risks and dangerous situations can befall your organisation. In 9 cases out of 10, backup is stored either on the same computer as the original or is copied to disks and lying on the shelf in the office. 

Defining and organising your information: 

Try to picture where your personal and work information is currently located. Your email might be stored on the provider's server, or on your computer (or both), and you might have several email accounts. There are also address books, chat history and personal programme settings. There is also data on your computer, perhaps in the office and at home. It is also possible that some data is stored on removable media, including a USB memory drive, CDs and DVDs, and old floppy disks. Your mobile phone has a list of contacts and important text messages. Your website may have a large collection of articles. Don’t forget non-digital ways you may store information, like paper notebooks, diaries, and letters. 

Next, you need to define which information is unique and what is already a copy. Try to write down the physical location of all originals and copies. This could include the office computer, office shelf, home computer, and your web server. You will soon be able to visualise and define your backup needs and see the beginning of a backup strategy. Let’s consider a situation like this:

 

Data Carrier

Original/Copy

Data Type

Location

Computer

Original

Documents

Office

Google mail

Original

Email, Address Book

Internet

Mobile Phone

Original

Contacts, Short messages

With me

USB memory drive

Copy

Some documents from office computer

With me

Printed documents

Original

Fundraising contracts

Office

CD disks

Copy

Some documents from office computer

Home

 In the table above, you can see that:

         the only pieces of data that will survive a computer crash are documents copied onto a CD and USB drive located with you and at home;

         there is no offline copy of email messages or the address book – so, if you forget your email account password (or even worse, someone else finds out what it is and changes it) then you will also have no access to years of accumulated email;

         there is no copy of the data stored on mobile phone;

         there is no digital or physical copy of important fundraising contracts; 

 

Creating a backup strategy 

To create a functioning archive for all data types listed above you will need to implement a combination of software and process solutions. Each data type should be stored in two separate locations. 

Email - Instead of accessing your email only via webmail, install and set up an email client, like Thunderbird [3] to download your email to the computer. Most email providers will have details on their websites for how to connect using an email program and how to import address book contacts [4]. Note: Ensure that you leave the messages on the email server as well, rather than just moving them over to your computer. 

Computer - Create a full backup of all your documents on the computer by using a programme like Cobian Backup [5] and storing it on removable media such as a CD disks at home (in addition you should use Truecrypt [6] to encrypt the information you write on CDs) 

Mobile Phone - To copy the address book and SMS messages, try and connect your mobile phone to the computer by downloading appropriate software from the vendor's website. Alternatively, you can copy all data to the SIM card, move the SIM to another phone and copy all the data off it. This way you will have all the contacts and SMS messages on two separate phones. 

Printed documents - Scan all important documents, encrypt them with Truecrypt, copy to removable media (like CD's) and store at home. 

In the end, you should have rearranged your data sources, carriers and backups to withstand potential calamities:

 

Data Carrier

Original/Copy

Data Type

Location

Computer

Original

Documents

Office

CD disk

Copy

Documents

Home

USB

Copy

Some documents

With me

Google mail

Original

Email, Address Book

Internet

Thundebird

Copy

Email, Address Book

Office

Mobile Phone

Original

Contacts, Short messages

With me

Computer

Copy

Contacts, Short messages

Office

Printed documents

Original

Fundraising contracts

Office

USB

Copy

Fundraising contracts

With me

 

What medium should I use?  

Firstly, you should decide on the backup medium: 

         CD/DVD – CDs store 700 MB and DVDs 4,700 MB of data. You will need a CD or DVD burner in your computer and relevant software (like DeepBurner [7]). Remember that CDs/DVDs will start to lose the information written on them after 5 to 10 years. If you need to store backup for longer you should look for other medium (like magneto-optical discs [8]);

         USB memory drive - stores as much data as the device's capacity allows. Easy to erase and re-record numerous times. Note that both USB memory drive and disks have a finite lifetime. See Allwaysync [9] a handy programme to synchronise your original and archive data;

         Server - you will need to have a functioning server on the Internet and be able to upload data to it using additional software. You can register free storage space on the Internet, see xDrive or iDrive websites [10]. Note: You should encrypt your information before you'll send it to the server, otherwise you have no control over who can read it.

 

Managing your backup 

In order to make the backup process effective and simple to perform you will need to understand and implement the following recommendations: 

         Organise the files and folders on your computer. Try and move all relevant documents that you are going to backup into one folder (e.g. My Documents)

         It is important to secure your backup device. You can do this by using disk encryption and programmes like Truecrypt. In addition, you can purchase a safe to store it in.

         Create a regular schedule to perform your backup.

         Organise and implement a backup policy for yourself and all your staff in the office. Ensure this procedure is of the utmost importance to everyone.

         Keep your backup copy AWAY from the original. Do not store it on the same computer, or in the same office or building.

         Review whether you have a copy of the installation disks of the programmes you use. Does your disk read well? Do you store them in the safe place? Do you have all the serial numbers and user information?

         Try and test different backup recovery scenarios.

 

References and further reading  

[1] See other articles published in "Digital Security and Privacy for Activists" series:

                "Introduction", CIVICUS Bulletin No 32, January 2008: www.civicus.org/csw/SECURITY_INTRO1.htm
(Russian language version: www.civicus.org/new/media/No32-Digital-Article-Russian.doc)

                "Roots of (in)security: Protecting your computer”, CIVICUS Bulletin No 33, February 2008: www.civicus.org/csw/DIGITAL_SECURITY-No33.htm 
(Russian language version: www.civicus.org/csw/DIGITAL_SECURITY-No33-Russian.htm)

                "Away from prying eyes: Protecting your information from unauthorised access”, CIVICUS Bulletin No 34, March 2008 www.civicus.org/csw/DIGITAL_SECURITY-No34.htm
(Russian language version: www.civicus.org/csw/DIGITAL_SECURITY-No34_Russian.htm)
 

[2] "Security Edition of NGO in a Box" (see: security.ngoinabox.org) is a project of Front Line (www.frontlinedefenders) and Tactical Tech (www.tacticaltech.org) It is a toolkit of peer-reviewed free and open-source software, materials and guides to provide digital security and privacy. Its aim is to simplify this complicated area and reduce the overwhelming choices often faced by people when trying to find solutions to their problems. Recommended software is reviewed, explained and accompanied by installation and user guides in multiple languages. Each tool is accompanied with clear explanations and tips written for the non-technical user. The whole toolkit is available online on the Front Line website. The toolkit is also available on a CD. The toolkit is currently available in French, Spanish, Arabic, Russian and English.  

[3] Thunderbird email client programme replacement of Outlook: www.mozilla.com/thunderbird  

[4] Setting up a connection for your email program to some popular providers:

         For Gmail see mail.google.com/support/bin/topic.py?topic=12805 and how to Import Your Gmail Contacts into Mozilla Thunderbird email.about.com/od/mozillathunderbirdtips/qt/et_gmail_addr.htm

         For RiseUp.net see help.riseup.net/mail/mail-clients  

It is possible to install an extension to Thunderbird in order to download your email from popular providers (like Yahoo, Hotmail, Lycos, MailDotCom, Gmail, Libero, and AOL). Please see the webmail extension for instructions to installing and activating this service:  webmail.mozdev.org/installation.html 

Hint: for details on how to connect to other email providers, check the help sections of their websites. Keywords to look out for are 'POP', 'IMAP' and 'SMTP' server. 

[5] Cobian Backup is a programme to backup your files and directories from their original location to other location in the same computer (for example other disk drive) or other computer in your network. See: www.educ.umu.se/~cobian/cobianbackup.htm 

[6] TrueCrypt (www.truecrypt.org) is free open-source disk and files encryption software for Windows, Mac OS X, and Linux. See:

         Frequently Asked Questions www.TrueCrypt.org/faq.php

         Beginner's tutorial www.truecrypt.org/docs/?s=tutorial

User Guide www.truecrypt.org/docs 

[7] DeepBurner is an CD and DVD burning package. It supports a wide range of internal and external (USB 2.0 and FireWire) CD and DVD writers. Burn any data, copy any disc, make backups, create photo CD albums, make ISO CDs and Video DVDs. See: www.deepburner.com 

[8] See “Magneto-optical drive”article on Wikipedia: en.wikipedia.org/wiki/Magneto-optical_drive 

[9] Allway Sync is free and easy to use Windows program that synchronise your data between desktop PCs, laptops, USB drives and more. See: www.allwaysync.com 

[10] xDrive (www.xdrive.com) and iDrive (HYPERLINK "https://www.idrive.com/" https://www.idrive.com) are online storage servers which offer free space (xDrive: 5GB and iDrive: 2GB) to backup your files. 

 

About the authors

Dimitri Vitaliev is a consultant on issues of electronic security and privacy for human rights activists around the world. He is the author of the 'Digital Security and Privacy for Human Rights Defenders' manual, co-editor of the NGO in a Box - Security edition project and is often on the road, providing training and advice on security policies and strategy. 

Wojtek Bogusz is a digital security and information systems consultant and trainer working with Front Line – Dublin based International Foundation for the Protection of Human Rights Defenders. He is also co-editor and manager of the Secure Edition of NGO in a Box  project. 

You can contact both of the authors through the group email of Security Edition of NGO in a Box project: security (AT) ngoinabox (DOT) org