Strategy Paper on Online Safety and Security against Privacy Attacks
Introduction:
Privacy is a fundamental human right, which protects human dignity and forms the base of any democratic society. However, this right has become a major concern for journalists, and human rights defenders (HRDs) including women in Bangladesh. Journalists and HRDs face more significant digital security threats and privacy attacks due to their access to valuable and confidential information. Moreover, they have potential influence over policy formation/ revision through their fact-based reporting or constructive criticism. Most significantly, online violence and privacy attack against women activists is skyrocketing. Again, it has been observed that, personal data can be compromised if digital hygiene is not maintained. Not adhering to the standard practices while using internet also adds to it. The worst inconveniences journalists face vary in different situation ranging from personal threats from readers’ disagreement with their views, cyberstalking, doxing, targeted surveillance by government law enforcement agencies, or falling victim of disinformation campaigns, etc.
On the other hand, human rights defenders, as their title indicates, have an important role to play in documenting human rights violations as well as in helping victims get redress. It goes against all democratic norms and principles if they are punished for doing their job. In reality, they face harassment include death threats, physical attacks, targeted surveillance, violation of privacy and data breach, enforced disappearance, threats to family members and slapping of legal cases.
In 2018, Bangladesh introduced Digital Security Act (DSA) to mitigate cybercrime as said by the government, but the law has been used more for political gains rather than to control cybercrime. Since the enactment of the DSA, over 7,000 cases were filed under it till January 2023 and majority of the accused are journalists and critical voices[1]. It is observed that, journalists and HRDs were under intensive surveillance while their personal information were breached by law enforcement agencies. In recent years, Bangladesh has been experiencing a rise in privacy violations committed against HRDs, activists and journalists who have been targeted for being critical of the authorities. Spyware technology is repeatedly used to silence journalists, scrutinise HRDs, suppress freedom of expression, and discourage peaceful protests. There are so many modern technologies to keep an eye on targeted individuals available worldwide. Among them, Israeli made Pegasus spyware device is being used as a spyware weapon by nearly 50 government agencies which also includes Bangladesh to deal with individuals dissenting against the government.[2] Allegedly, the above-mentioned spyware device is widely used to spy on journalists, HRDs, politicians, etc. which is extremely alarming and seems to confirm some of the worst fears about potential misuse of surveillance technology to illegally undermine people’s right to privacy.
The use of surveillance software has been linked to arrest, intimidation and even killings of journalists and HRDs in Bangladesh violating the right to privacy and the rights to freedom of expression, association, and peaceful assembly. On other hand, the scenario and impact of digital surveillance on women is further traumatizing. The forms of harassment included personal attacks, sending sexually explicit pictures and soliciting sexual favours, discrimination and hate speech against women, making fake IDs, and normalising offensive sexual comments. Cyberbullying and harassment on women journalists and HRDs online are common in Bangladesh. Usually, sensitive and personal information are extracted through spyware to intimidate and tarnish these women’s reputation. Female journalists and HRDs of the country are vulnerable online and are at risk of cyberstalking, the spread of personal information through social media, revenge porn, trafficking, and AI-generated fake photos, etc.
Legal Obligations regarding Privacy:
Bangladesh is a signatory to most of the international treaties, declarations and ratified covenants to ensure ‘right to development’ as a means of promotion of human rights. The government is bound to ratify those human rights obligations while the compliance mechanism is weak and often not enforced appropriately. There are a number of legislative statements which consider privacy as a fundamental human right. Article 43(B) of the Bangladesh Constitution, 1972 safeguards citizens’ privacy of correspondence and communication. Section 63 of the ICT Act, 2006 (amended in 2013, later turned into DSA and consecutively modified as CSA) provides penalty for disclosure of confidential and private electronic record, book, register, correspondence, information, document, or other material without consent of the person concerned. The punishment for unlawful disclosure of such records may extend to two years of imprisonment or fine up to Taka two lakhs[3]. Additionally, according to Article 12 of the Universal Declaration of Human Rights (UDHR), there shall be no arbitrary interference with anyone’s privacy. Moreover, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) to which Bangladesh is a state party, and Article 16 of the Convention on the Rights of the Child, 1989, also recognize privacy as a right. This is to be mentioned that, intelligence agencies are exempted from these regulations as they can intercept, conduct surveillance, record mobile or others with special permission from the State.
Scenario of Data Protection:
The afore-mentioned narrative illustrates the need for data protection legislation that will protect interests of the vulnerable communities like journalists, women and HRDs as well as the common mass in general. Journalists and HRDs play accountable role in our society by raising their voices against any injustice regardless considering the perpetrators’ power over the existing system. When journalists’ and HRDs’ rights are violated, the democratic space of the country is disrupted. At present, the question arises on who to make accountable to prevent, protect against, and prosecute attacks against journalists and HRDs.
There is no clear action in any law of Bangladesh regarding protecting citizens’ data. However, recently the government has approved Data Protection Act 2022 (DPA). Various civil society organizations have raised concerns about the efficacy, inclusiveness and acceptance among the fellow citizens. They urge that, stakeholders should get adequate opportunity for reviewing and providing inputs to this law to ensure it meets international standards. Bangladesh, like many other countries, needs to have a strong legal framework for personal data and privacy so that, right to data protection is not violated without full disclosure. Public awareness, moral values and education on digital rights need to be increased to comply with such laws if enacted because, crimes cannot be stopped through the law alone.
Strategy to Combat against Online Attacks and Breach of Privacy:
It is clear that, the target group needs to be aware and sensitised about their own safety and security more than ever while performing their professional duties and responsibilities. The most significant strategy is to build an empowered community environment where journalists, women and HRDs will practice and extend peer supports, strengthen tolerance and backup each other proactively. VOICE has a long-standing experience of educating and equipping journalist and HRDs on their digital rights and online safety and security to combat challenges which disrupt their usual activities. This paper will showcase a comprehensive reflection of those integrated knowledge on holistic capacity development to tackle any sort of online attacks in terms of privacy. There are some technical guidelines on the practical implications of online safety and security measures for the target groups which are listed below:
Awareness and Preparation on Digital Hygiene
This is one of the most significant preventive measures of online violence against journalists, women and HRDs. The actions are:
- In case of emails and links, senders’ details and sources should be verified.
- Attachments should be scanned with antivirus before opening.
- Open-source software should be in priority.
- Devices should be updated regularly.
- Using free wi-fi of hotels, cyber cafes or public network, etc. should be avoided in general. In case of emergency, the connections should be secured with VPN or TOR. In case of using others’ devices, secure and portable OS like Tails should be used.
Malware, Antivirus and Malware Removal Tools
In most cases, computers are infected by connecting external devices. Active antivirus software should be installed and updated regularly. Before opening, any external devices must be scanned by antivirus.
- Autorun options on computer should be disabled.
- To avoid malware attacks, all kind of software should be downloaded or taken from authentic sources. Malware removal tools can fix already-infected files/ systems. It is by no means an antivirus alternative.
- To be safe from malware or phishing links, any file, link or login page should be scanned before opening.
Browser and its Security
For safe browsing, sites having HTTPS should only be logged/ signed in. HTTPS version of the web URL is more secure compared to HTTP. Fake login pages may look exactly the same. In that case, the part before first slash ( / ) should be noticed carefully.
- Opensource web browser such as Brave, Firefox or Chromium should be used.
- Password should never be saved in a browser.
- Add-ons that are not trusted should be avoided to install.
- Browser history should be turned off and browser cache and cookies should be cleared regularly.
- Java and Flash should be disabled if not needed.
- For search privacy, DuckDuckGo, StartPage or Quant can be used.
Passwords, Password Manager and 2FA
Passwords are the key to all information whether personal or professional and an important part of digital security.
- Safe passwords are at least 14 characters in length. Combination of random numbers, symbols, uppercase and lowercase letters and spaces is ideal. Same password should not be used in every digital platform.
- Adding security screen to digital devices is recommended which prevents people in the surrounding from seeing the screen of the devices.
- Understanding of the recovery process for each password is important.
- When logging in somewhere, SSL certificate should be checked if valid or not.
- Non-SMS/call based 2FA must be enabled using opensource app or hardware based 2FA.
- Opensource password manager must be used to keep the database encrypted.
Security and Privacy Setting on Social Media
The risks that are related to social media are listed as, cyberbullying (bullying using digital technology), online gender-based violence (OGBV), information theft and identity theft, invasion of privacy, so on. Social engineering manipulates human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, preventive measures should be taken immediately whenever a professional is alarmed by an email, attracted to an offer displayed on a website, or when while coming across stray digital media lying about any topic. Cautionary measures are:
- Using multifactor authentication is a must.
- One should be wary of tempting offers and avoid them. Avoiding clicking on suspicious links are always advised in any social platform while performing professional responsibilities.
- Privacy settings should be set up with customisation so that only verified friends have access to the posts.
- Keeping private and work accounts separate is the best way.
Encryption
Encryption is the process of taking plain text, like a text message or email, and scrambling it into an unreadable format — called “cipher text.” This helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network like the internet. End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while transferred from one end system or device to another. In E2EE, the data is encrypted on the sender’s system or device and only the recipient is able to decrypt it.
- Virtual private network, better known as a VPN, is popularly used for encryption which protects one’s identity and browsing activity from hackers, businesses, government agencies, and other snoops. When connecting to the internet, personal data and IP address are hidden by a type of virtual tunnel. While choosing a VPN, security experience of the VPN provider, VPN’s privacy policy and number of server locations should be checked carefully.
- On the other hand, TOR is free and open-source software for enabling anonymous communication. It directs internet traffic through a free, worldwide, volunteer overlay network, consisting of more than seven thousand relays, for concealing a user’s location and usage from anyone conducting network surveillance or traffic analysis
- Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails and encrypting sensitive files. It is used for sending and receiving encrypted emails and verifying any email sender.
- Mailvelope is a browser extension that allows secure email communication based on the OpenPGP standard. It can be used with existing email to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client.
- Thunderbird 78 has built-in support for two encryption standards, OpenPGP and S/MIME.
- Signal, Wire and Briar are some trustworthy messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate
Data Backup
Making backups of collected data is critically important in data management. Backups protect against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backups can help save time and money if these failures occur. On the windows operating system, built-in backup feature can be used. Professionals should always store media used for backups (external hard disks, DVDs, or CDs) in a secure place to prevent unauthorized people from having access to important files; a fireproof location separate from the working computer is recommended.
- Regular backup is a must. More than one is recommended.
- Original and the backup data should not be kept at a same place.
- Backup should always be encrypted with reliable tools.
- Duplicati is a free, open source, backup client that securely stores encrypted, incremental, compressed backups on cloud storage services and remote file servers.
Mobile Phone Security
Similar to a hacking attack on a personal computer or enterprise server, a mobile security threat exploits vulnerability in mobile software, hardware, and network connections to enable malicious, unauthorized activities on the target device leading to severe cyber-violence. Cautionary measures are:
- Using password on mobile phones is a must.
- When installing any application, consider what permission professionals are allowing.
- Full Disk Encryption should be turned on.
- GPS should be turned off.
- Jailbreak or Rooting phone must be avoided.
- Unfamiliar messages or media must be deleted.
- Lock screen security must be optimised.
- In case of protecting locations or movement, mobile phones should not be carried with the professionals.
Concluding Remarks
Privacy underpins human dignity and other key values such as freedom of association, freedom of speech, freedom of thought, and freedom of conscience. Sometimes this is termed ‘the right to be let alone’. Privacy and security are critical concerns for journalists, women and HRDs especially in today’s digital age where information can be easily intercepted or exposed. Journalists often deal with sensitive sources, and confidential information, and may face threats to their safety. Unfortunately, with the advancement of technologies such as computers, the Internet, mobile phones, digital video and audio, and surveillance systems, among a wide variety of others, the possibility of intrusion of privacy has increased manifold. Individuals need to be aware and practically cautious of their digital footprint, use privacy settings, and consider the implications of sharing personal information online. Additionally, ongoing discussions and debates on privacy rights, government surveillance, and the responsible use of technology should continue to shape the legal and ethical landscape surrounding privacy in the digital age.
[1] https://www.thedailystar.net/opinion/views/news/relabelling-the-dsa-wont-protect-citizens-cybercrimes-3399621
[2] https://www.thedailystar.net/law-our-rights/news/pegasus-controversy-and-cyber-security-bangladesh-2143751
[3] https://www.thedailystar.net/law-our-rights/news/pegasus-controversy-and-cyber-security-bangladesh-2143751