Protecting the Identity of Human Rights Activist When Using Mobile

From DevSummit
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Guardian Project

Facilitator: Derek

Goals - protect activists Collaborated with Tor project Built Android port of Tor Projects include: - Encrypted IM on Mobile - Automatic obfuscation of identity via facial recognition on mobile phone camera - Developer tools

Problems w/Tor: - Latency/sluggishness domestically - Some areas experience much more focused attacks on the Tor network - China: Private bridges are closed within 5-6 hours

Comment: - Our NPO staff sends emails etc. in the clear, but there are threats/risks from the governments in Brazil, Southeast Asia,

India, China, U.S. - Staff uses Skype for chat/calls - side note: New Skype vulnerability found - you can detect someone's IP address just by placing an uncompleted call

why don't people use security tools? - Because they're hard to use - e.g. PGP - For mobile phones - it's even harder - Hacking laptop/desktop config files for better security is still easier than trying to hack your phone (it's still like a

black box) - And this is for techies! For activists in the field it's even worse - Expectations differ between different cultures & user communities - Some balk at adding one more step to setting up/using

email, etc. Others (such as those who live in repressive regimes) are very security-/privacy-conscious even for non-tech

matters. - It's a psychology problem. Past frustrations with using security tools leads to user resistance in the future - People don't understand the consequences. They might understand the consequences of lax physical security (getting

arrested, having the sh*t beat out of them), but don't understand consequences of lax digital security (because they're in

the future, or a step removed) - Scare them with demos: Firesheep hacking, sniffing of their web photos


More Guardian projects - Tools/app to make key exchange easy & happen in the background - Android app: Orbot to support Tor over wifi hotspots - Android app for visual privacy: ObscureCam - take photos on your phone (or import them), the app processes the image using

facial recognition to _mask_ the faces. Then you can share the photos online with less risk of compromising people's

identities (e.g. taking/sharing pictures at an Occupy protest) - ObscureCam is partly based on use cases from the organization WITNESS - They're also thinking about a flip-side app: InformaCam for putting more identity, info into a photo & its metadata - one

use case: make photo admissible in court

Comment: Copwatch/Openwatch app discussion involved storing diffs between

Openwatch overview: Clandestine recording on your phone, e.g. to capture abuses by law enforcement officials One activist had to smuggle a video out on microSD card hidden in his gums!

Q: I thought the Guardian Project was a distro? A: They are doing custom handsets based on Cyanogenmod + custom distro on Nexus One, they give training before distributing

handsets. They want to make it a distro, but that's further down the roadmap, partly due to the time/resource constraints.

There's also some resistance to a fully-securitized Android distro from various parties - e.g. Android app devs didn't like

the toggling of Android system permissions

Whisper Systems - Whispercore project - Another mobile security project (firmware) - Has overlap with other security projects, high-quality developer, but not open source - Still recommended (until a better open source option becomes available)

Q. Is this available on lower-end handsets? A. Not yet, because of computation resource constraints (but this is changing, hardware on low-end phones is improving)

Q. How to encourage people to take privacy/security more seriously? A. One answer - make people see that they're not just protecting themselves, they're protecting their family/community.

Example from Safer Mobile project in Egypt: A boy was photographed in a public square engaged in questionable activity. He

was tagged on Facebook - because of this, he got thrown into jail

One-touch panic button - If you're under duress, blasts alert message/location info to selected contacts and also wipes

selected areas of your phone

"I'm Getting Arrested" app - Does something similar, used/developer for Occupy

Q. How to encourage developers to develop with privacy, security in mind? A. Some answers: - Name & Shame approach - publicly expose security vulnerabilities - Defcon dev contest for security tools drew very few entries - Understanding what are the "hot areas" of security/privacy development with the most activity - Frame it with a real-world impact, e.g. what technologies does the Occupy movement need? - Have more compelling narratives - Security horror stories that are personal - what could you build that would protect these

people? - App contests are not enough - devs want to help, but they need to eat - day job takes precedence - VMWare/Benetech - offer paid 3-month sabbaticals to do social coding for good

Report-back:

Usability issues for security tools: - User experience for OTR vs. PGP - User feedback on Tor Motivating users toward security practices: - Having your friends tagged in Facebook, then thrown in jail - Useful demos: Man-in-the-middle attacks, upside-down kitty pictures, Driftnet, Firesheep Apps & tools from Guardian Project + others in the space: - ObscuraCam, "I'm Getting Arrested" app, Key exchange, Tor, Whispercore

-- Kathryn Benedicto Happy Snowman Tech - Drupal Website Development for Nonprofits kathryn@happysnowmantech.com +1 408.394.0796 http://www.happysnowmantech.com

Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Protecting_the_Identity_of_Human_Rights_Activist_When_Using_Mobile&oldid=501"