Protecting the Identity of Human Rights Activist When Using Mobile

From DevSummit
Jump to navigation Jump to search

Guardian Project

Facilitator: Derek

Goals - protect activists Collaborated with Tor project Built Android port of Tor Projects include: - Encrypted IM on Mobile - Automatic obfuscation of identity via facial recognition on mobile phone camera - Developer tools

Problems w/Tor: - Latency/sluggishness domestically - Some areas experience much more focused attacks on the Tor network - China: Private bridges are closed within 5-6 hours

Comment: - Our NPO staff sends emails etc. in the clear, but there are threats/risks from the governments in Brazil, Southeast Asia,

India, China, U.S. - Staff uses Skype for chat/calls - side note: New Skype vulnerability found - you can detect someone's IP address just by placing an uncompleted call

why don't people use security tools? - Because they're hard to use - e.g. PGP - For mobile phones - it's even harder - Hacking laptop/desktop config files for better security is still easier than trying to hack your phone (it's still like a

black box) - And this is for techies! For activists in the field it's even worse - Expectations differ between different cultures & user communities - Some balk at adding one more step to setting up/using

email, etc. Others (such as those who live in repressive regimes) are very security-/privacy-conscious even for non-tech

matters. - It's a psychology problem. Past frustrations with using security tools leads to user resistance in the future - People don't understand the consequences. They might understand the consequences of lax physical security (getting

arrested, having the sh*t beat out of them), but don't understand consequences of lax digital security (because they're in

the future, or a step removed) - Scare them with demos: Firesheep hacking, sniffing of their web photos

More Guardian projects - Tools/app to make key exchange easy & happen in the background - Android app: Orbot to support Tor over wifi hotspots - Android app for visual privacy: ObscureCam - take photos on your phone (or import them), the app processes the image using

facial recognition to _mask_ the faces. Then you can share the photos online with less risk of compromising people's

identities (e.g. taking/sharing pictures at an Occupy protest) - ObscureCam is partly based on use cases from the organization WITNESS - They're also thinking about a flip-side app: InformaCam for putting more identity, info into a photo & its metadata - one

use case: make photo admissible in court

Comment: Copwatch/Openwatch app discussion involved storing diffs between

Openwatch overview: Clandestine recording on your phone, e.g. to capture abuses by law enforcement officials One activist had to smuggle a video out on microSD card hidden in his gums!

Q: I thought the Guardian Project was a distro? A: They are doing custom handsets based on Cyanogenmod + custom distro on Nexus One, they give training before distributing

handsets. They want to make it a distro, but that's further down the roadmap, partly due to the time/resource constraints.

There's also some resistance to a fully-securitized Android distro from various parties - e.g. Android app devs didn't like

the toggling of Android system permissions

Whisper Systems - Whispercore project - Another mobile security project (firmware) - Has overlap with other security projects, high-quality developer, but not open source - Still recommended (until a better open source option becomes available)

Q. Is this available on lower-end handsets? A. Not yet, because of computation resource constraints (but this is changing, hardware on low-end phones is improving)

Q. How to encourage people to take privacy/security more seriously? A. One answer - make people see that they're not just protecting themselves, they're protecting their family/community.

Example from Safer Mobile project in Egypt: A boy was photographed in a public square engaged in questionable activity. He

was tagged on Facebook - because of this, he got thrown into jail

One-touch panic button - If you're under duress, blasts alert message/location info to selected contacts and also wipes

selected areas of your phone

"I'm Getting Arrested" app - Does something similar, used/developer for Occupy

Q. How to encourage developers to develop with privacy, security in mind? A. Some answers: - Name & Shame approach - publicly expose security vulnerabilities - Defcon dev contest for security tools drew very few entries - Understanding what are the "hot areas" of security/privacy development with the most activity - Frame it with a real-world impact, e.g. what technologies does the Occupy movement need? - Have more compelling narratives - Security horror stories that are personal - what could you build that would protect these

people? - App contests are not enough - devs want to help, but they need to eat - day job takes precedence - VMWare/Benetech - offer paid 3-month sabbaticals to do social coding for good


Usability issues for security tools: - User experience for OTR vs. PGP - User feedback on Tor Motivating users toward security practices: - Having your friends tagged in Facebook, then thrown in jail - Useful demos: Man-in-the-middle attacks, upside-down kitty pictures, Driftnet, Firesheep Apps & tools from Guardian Project + others in the space: - ObscuraCam, "I'm Getting Arrested" app, Key exchange, Tor, Whispercore

-- Kathryn Benedicto Happy Snowman Tech - Drupal Website Development for Nonprofits +1 408.394.0796