Ask A Digital Security Trainer: The Process of Risk Assessment
As part of our sustainability and adoption work, the I2P Research and Usability Lab has reached out human rights defenders, journalists, activists, teachers and NGO’s. The goal is to gain insight about the experiences they have in their roles, the tools they use for privacy, and the challenges they encounter when interacting with privacy focused tools and technology.
In our discussions about what we could ask as a series of questions, we drew on our own experience interacting with tools in the Open Source privacy community. We wanted to understand how people build trust with a privacy tool, and what makes a good or bad first impression. We wanted to explore the paradox of caring about privacy while at the same time making a conscious choice to make use of communication options that are not considered optimal because the better choice breaks a workflow or is too difficult to interface with.
In our work over the past year we have learned about how much assumed knowledge and jargon truly weakens the chain of adoption, capacity and sustainability. After implementing some changes to I2P core onboarding, have we done enough? What can we improve and what are our remaining blindspots? We asked for, and received feedback from first impressions about the I2P Core Java software.
The topics we will be covering from our research synthesis are as follows:
- What are some of the threats that arise from your risk assessment? What is the process you use to assess and create security support?
- What kinds of challenges do you encounter when interacting with privacy and security tools?
- How do you trust model?
- What is your impression of I2P?
For this post, we will begin with insights into the process of risk assessment and the threats to digital security that digital trainers and the people they work with encounter.
Key Findings:
Training is based around threat models as opposed to roles. Threats include confiscation or arrest by government. Interception, blocking and censoring.
Training and support focus on issues with communications being intercepted, computer files being corrupted, and protecting sensitive data.
Freedom of the Press Issues:
- Journalists have to threat model for the possibility of being arrested on the spot , devices being seized or being hacked.
Government overreach and human rights issues:
- Being prosecuted for being critical of the government.
- Having family and friends threatened or harassed.
- Having devices confiscated or hard drives searched.
People face a lot of problems with communications being intercepted or computer/files becoming corrupted. People can send malware to accounts and block them out. There is also the problem of trying to access things online. In some places people need a VPN to use Facebook. All social media requires a VPN to have access. If you use text or phone and happen to discuss things that security agencies don’t want you to discuss, it can be a big problem for you. Especially for those working in human rights directed activities.
Most of the training is divided into two parts. Physical security and digital security. The goal is to find out what the issues of the company, individual, community or human rights defenders are.
Trainings take participants through basic security concepts to understand what the risks are. This includes how to deal with security incidents if they encounter them. People are taken through security planning. The trainings take people through available privacy tools and options and through best practices for people to use when communicating with other people.
For journalists based in countries where freedom of press is not the best, doing their work in an independent manner can put them at risk. The main threat they face is being arrested on the spot when investigating. They may have their phones or computers hacked. They may be threatened for publishing a paper that is critical of government. Their family and friends may be threatened. They face self-censorship and the ability to perform work as they want.
I help separate private and professional life better to avoid threats.
It is important to consider : What does the internet know about you. Some threats that people face come from information that is available online, or from gaining access to personal information. Ensuring that people review privacy settings is important. Finding the best secure messenger, VPN, and making sure to have protection from viruses and malware is important.
Don’t do blind training. Do security audits and risk assessment, establish problems and vulnerabilities. Tailor a support program.
There is a very broad list of threats. Searches, seizure of personal devices, hacking of email, websites, messengers, wiretapping. People need training because they don’t always know what tools are available or how to use them properly.
It’s also important to use case studies to break down the obvious threats, to show the cause-and-effect relationship.
In Part Two we will discuss the insights and findings from our conversations about the challenges of using privacy tools. How do we include them in our workflow? Why do first impressions matter? Why is fluid usability so important?