In order to get a complete idea of our security situation, it is important to take account of our information as an important asset which we produce and use in our work, and undestand how it relates to our security. In this section, we will encourage you to map your information and explore the threats to its integrity, as well as ways of protecting it.
When we talk about 'information' or 'data' in the context of our work, we refer to many things, such as:
- Products of our work; reports, databases, images, voice and video recordings.
- Operational information; e.g. our text messages, files and progress reports and other office information and communication.
- Personal information that identifies us as members of an organisation, as well as other personal or professional affiliations.
- Data generated by our use of digital devices as we work, or 'meta-data', which can be used to track our movements or monitor our relationships.
This information can be stored and communicated in many ways and, if accessed, can give our opponents an alarmingly comprehensive picture of our actions and relationships. This makes it a very valuable asset and it should be treated with care. As human rights defenders have enjoyed increased access to digital technologies in particular in recent years, their opponents have demonstrated an increased interest in accessing their devices or intercepting their digital communications. Unfortunately, they are helped by the fact that much of the most popular digital tools do little to protect our information from a well-resourced opponent. Furthermore, some of our opponents may have relationships of collaboration with the same companies or institutions which provide our software or online services – making it a good idea to add these providers to your actor map.
As such, learning about how digital technologies work and increasing our digital literacy is an important and empowering step within our activism.
Download the full-length chapter from the sidebar to read about common threats to our information.
Categories of information
The first step to creating an information security strategy is to get to know what information we have, where it is, and how it moves from one place to another. Cataloguing our information helps us to view it as a tangible asset, rather than a vague mass of data, and enables us to feel more in control. It also allows us to pinpoint where or when our information is vulnerable and improve its safekeeping.
In the following sections we will separate our information in terms of whether it is primarily stationary (at rest) or is information which travels (in motion). Information stored in a filing cabinet or hard drive can be considered information at rest, whereas exchanging messages via mobile phone will be considered information in motion.
Find out about information at rest [link to at rest] and information in motion [link to in motion] and how to differentiate between the two in the linked chapters.
This distinction is helpful in informing our decisions on how we secure our information: different tactics have to be used for information at rest as opposed to information in motion.
However, bear in mind that much of our digital information may change states at different times. Consider the use of remote storage services (also called “cloud storage”) where our data is typically at rest, except for when we upload it, or when we access it whereby it enters a state of motion as the data travels across the internet.
Mapping your information ecosystem
Complete the exercise linked below to create a map of your and/or your organisation’s information. This 'information map' can take the form of a text document or spreadsheet and should be updated regularly.
Here are some key aspects to consider when creating an information map:
What information is it?
Group similar types of information together. For example, perhaps all financial documents belong in the same category, whereas not all emails do. Find categories which work for your and your organisation. Include software that you use here too as some software can be considered sensitive.
With regard to information 'in motion', it is a good idea to pay attention to the metadata of certain documents and communications (such as pictures and emails) and consider whether this information could be sensitive. In some instances metadata can be removed or distorted,1 whereas in others (e.g. emails) most of the metadata is always visible, but it is possible to take steps to make it less sensitive (for example, by using vague subject lines).
Where does it reside?
Who can access it?
How sensitive is it?
Below is an example of a three-tiered scale:
Secret: only specific persons should have access to this information
Confidential: this type of information is not for public consumption, but staff members may have access.
Public: this type of information does not pose any risk of exposure to public.
By introducing categories and notes to your map based on the above questions, you can begin to get an overview of the current status of your sensitive information and who may have access to it.
Consider also including the type of encryption (if any) that is used to protect the data: encryption is a technical means of reducing the number of people who can access certain information. It is ocasionally provided by service providers, although often we must learn to encrypt our information or communications using particular software in order to be more certain that it won't be accessed.
Once you have done this analysis, you should have a good idea of what gaps may exist in your current information security and can begin to build a strategy to close these gaps.
Read on to learn in depth about information at rest and in motion.