= Digital communications security ideas activists should be thinking about = Everyone's situation is different! But there are common threads and we can learn from each other. == Basic Themes == Security isn't just one thing. You can think about your risks more clearly if you understand what kinds of concerns you have. Four major security themes that are worth thinking over are: Privacy:: Who can see my communications? Is it only the people I expect? What does privacy mean when sending the same message to many people? Who can breach the privacy? Am I protecting the privacy of my members or the people I'm working with? Authenticity:: When I receive messages, how do i know who they're from? Are they really from that person? When I communicate messages where my identity is important and relevant, how can the people I'm communicating with know that my messages are really from me? Anonymity:: When I want to communicate ''without'' divulging my identity (whistleblowing, etc), how can I be sure that my identity is protected? Reliability/Access:: Is the communications medium i'm using something I can rely on? Who controls the medium? Can it be shut down or interrupted? Will it be there when I need it urgently? Discussing this themes with your fellow organizers and activists is an excellent first step toward building security. Keep in mind that improvements in one area (like privacy) may lead to a decrease in security in another area (like reliability/access). One resource you may find helpful is a [https://network.progressivetech.org/system/files/ptp-digital-security-overview-worksheet.pdf worksheet developed by the Progressive Technology Project]. Try filling out both pages. You may also be interested in [https://riseup.net/en/security Riseup's security tutorial]. == Resources == === Sending messages === One activity we engage in every single day is sending each other messages. Sending messages crosses all four themes, so picking the right method will depend on, for example, how you compare your need for privacy with your need for reliability. ==== Email ==== Email is the oldest and most universal form of exchanging messages. * [wiki:faq/email/openpgp OpenPGP] is a method that allows you to encrypt your messages in a way that not even your Internet provider can decipher them. However, it is hard to setup and requires both you and the recipient are using it * How do you get your email? Webmail means going to a web site and entering your username and password to access your email. It is very convenient, you can access your email anywhere even if you don't have your phone or computer. However, it also means that all of your email is saved on the server, which could be subpoenaed. Alternatively, you can use a desktop or mobile client that downloads your email, removing it from the server. However, your phone or computer can be lost or subpoenaed. There is no right answer! But at MF/PL you can [wiki:/faq/email/configure-email choose between webmail or a client] based on your needs. ==== Other forms of instant messaging ==== * All May First/People Link members can use [wiki:/how-to/jabber jabber] - which works on your computer and on your phone and supports end-to-end encryption. * Another popular, free and secure messaging applications is called [https://whispersystems.org/ Signal by Whisper Systems]. === Web sites === Web sites also cross many different security themes. Your web site may contain sensitive data that should only be scene by people with the right access. Also, your web site may track visitors, which could be used in a lawsuit to against your allies. And lastly, web sites are the most popular target of denial of service campaigns - when your political opponents try to shutdown your web site using legal or technical measures. * If your web site address does not have a padlock next to it (and is not accessible via https) - then all traffic to and from your site is in plain text and can be watched by anyone with the legal or technical means to intercept it. If you use a username and password to login to your site - that information is also sent without encryption. At May First/People Link, you can enable encryption [wiki:/faq/security/setup-certificate with a few clicks] thanks to [https://letsencrypt.org/ Lets Encrypt]. * If you are using your site to organize people, and your campaign is successful, you could find yourself under criminal investigation in which [https://mayfirst.org/en/2017/content-statement-justice-department-demands-dreamhost/ logs of every visitor to your site are subpoenaed]. Find out how to [wiki:web_server_logs turn off logging on your site] to avoid being placed in this position. * May First/People link has an extensive [wiki:/faq/data-backup backup system in place]. However, if downtime is critical, we encourage you to mainain [wiki:/faq/member-backup your own backup as well]. Deciding your backup strategy will require a trade-off between privacy (you don't want backup copies lying around) and reliability (you want to have the data to get your site back online at a moment's notice) * Many campaigns are shutdown right when they are gaining momentum due to legal take down notices. If you are running a campaign that involves a spoof or any content that could even just barely be considered illegal, please check in with us first so we can involve our generous pro-bono lawyers at the [https://eff.org/ Electronic Freedom Foundation]. We have a [wiki:/legal web page documenting our history fighting legal threats] - something you should expect from any organization providing digital services. * Other campaigns are shutdown due to a technical denial of service attack - when anonymous attackers flood your web site with so much data that it stops working properly. We work closely with [https://deflect.ca/ Deflect] - a DDOS protection service and have [https://mayfirst.org/en/2015/were-back-improved-and-ready-thanks-you/ extensive experience] fending off these attacks. === Databases === The movement is increasingly depending on databases specicially designed to help us organize. A database can help us track donors, send email communications, register people for events, generate phone lists and walk lists and more. One database used throughout the movement is [https://civicrm.org/ CiviCRM] - a free and open software project that you can host within your May First/People Link account. Due to it's complexity, many organization choose to work with a partner to set it up. For example, the [https://progressivetech.org/ Progressive Technology Project] launched the [https://ourpowerbase.net PowerBase project] to facilitate setting this up. When hosting your database with a corporate provider, like Nation Builder or Saleforce, you run the risk of having your data subpoenaed without your knowledge. === Sharing Files === Sharing files is critical to movement building - whether it is allowing others to download statements or images, to providing a space for collaborative editing. * Real-time editing or notetaking. Riseup's [https://pad.riseup.net/ Etherpad] instance is an excellent place for join note taking or collaborative editing. Several peole can edit the same document and see each other's edits as you type. Riseup deletes all pads that have not been edited in over a month - so be sure to copy down any completed documents. * Similarly - May First/People Link provides a similar site for spread sheets called [https://calc.mayfirst.org/ Ethercalc]. * For more long term document sharing, May First/People Link offers [https://support.mayfirst.org/wiki/nextcloud Nextcloud] - a full featured site that allows you to: * Synchronizes and share documents via the web, on your computer and on your phone * Synchronize and share calendars between team members and your phones and computer calendars