In this session, you will review with participants the tools, basic rules and best practices that would help them to keep their communications private and safe from surveillance.
- Understanding the risks of online communications;
- Choosing a secure messaging platform.
Practical skills taught:
- Choosing a secure messaging platform that suits your needs;
- Learning to use Telegram, Signal, WhatsApp or Wire;
- Using a VPN (optional);
60 min (or 75 min with an optional sessions on using VPN)
Basic for most of the content.
Basic computer and email/social media literacy
Projector, slides, paper, laptop connected to the internet, handouts,
Quiz: My Conversations, Handout: Keep your digital conversations private
Advanced preparation required:
Before the session, do research to become familiar with the national legislation and common law-enforcement practices (if any) related to the use of encryption, messaging apps, and VPN. A good starting point is here, however be sure to get up-to-date information from local sources. WARNING: CyberSTAR does NOT recommend teaching material that contravenes local law. Messenger and VPN directions are only for use in the jurisdictions where it is considered both legal and a best-practice.
A. Setting the scene (10 min)
Start the session by describing what it is about, situating the session among the other points of the CyberSTAR, and outlining what the participants will learn by the end of the session.
Set the scene by discussing the importance of protecting our digital communications.
Ask participants the following questions to start the discussion:
Why should they care at all about keeping their communications private?
What do they protect by keeping their communications private?
What types of communication are you currently using?
Make sure that the following points are addressed:
We often communicate sensitive information about ourselves, our organizations, partners and beneficiaries. This information can be used for nefarious purposes, including to impersonate someone, blackmail, intimidate, defraud, etc.
B. Digital communication (15 min)
Give participants a high-level overview of how digital communication works. Explain that when two participants exchange information via the Internet, in addition to the apps they use, the information moves through a number of pieces of networking equipment. This equipment is owned by different companies and organizations, and it is almost impossible to know who is monitoring or intercepting your communication.
Play the short animated video, showing how information traverses the multi-step paths, while moving back and forth between two users.
[Examples from the security-in-a-box guide may be used to produce the script]
Following the video, summarize main points: the information you send and receive passes through many different devices controlled by many different companies, organizations, government agencies and individuals. Criminals, companies, rogue groups and governments can monitor or intercept your digital communication at several points:
On your device, if it is infected with malware or if someone observes you communication directly;
At your WiFi router, if it is infected with malware or controlled by someone with malicious intent;
By your ISP or mobile provider, either for their own purposes or on behalf of a third party;
At a national gateway, sometimes even if all participants and services are located in the same country;
While passing through a physical cable on the Internet backbone, if it is “tapped” (typically by a state actor);
By the ISP or website of the service you are using;
By the ISP or mobile provider of the people with whom you are communicating;
On any of the servers that store or route your communication;
At some other participant’s WiFi router, if it is infected with malware or if they have malicious intent;
On some other participant’s device, if it is infected with malware or if someone observes their communication directly.
C. Encryption and secure messaging (10 min)
Share with the participants that because of the complexity of network infrastructure that our communication moves through and the multitude of vulnerabilities along the path, the best way to ensure the security and privacy of their communication is to use encryption.
Give participants a high-level overview of how encryption works.
Tell participants that in deciding which secure messaging app to use, they should look for end-to-end encryption.
End-to-end encryption is when the content you send and receive is encrypted throughout the entire path between your device and the device of the person or people with whom you are communicating. It protects that content from your service provider, the service provider of the other participant and anybody else along that path.
[Show a video that displays the difference between client-server encryption and End-to-End encryption at a high-level to reinforce where data can be intercepted. A good starting point in English (heavily accented) is here.]
D. Secure messaging platform (15 min)
Share with the participants the names of two-to-three secure messaging apps that provide end-to-end encryption and are generally considered secure: Telegram, Signal and WhatsApp.
Mention that while not a single app can guarantee that nobody will be able to monitor or intercept your digital communications, participants should choose an app that minimizes the risk and serves their needs.
If participants ask about the security of other popular messaging apps, explain that there are a variety of criteria to consider when selecting a messenger app. Sites such as this can be helpful in going through some of the criteria for popular apps such as Signal / WhatsApp / Telegram. Use caution however, as these applications are constantly changing. What you recommend in 2020 may not be what you recommend in 2021 or later.
- Outline a process that can help participants choose a secure messaging platform. Their starting point should be the risk matrix they developed earlier. These risks should be compared to different platforms to identify a single platform that provides the maximum protection.
One potential process is to:
1- Chose Criteria important to the user
2- Give each chosen criteria a value
3- Create a table with the criteria at the top row (the columns), and the apps at the first column (the rows).
4- Fill the table
5- Every app gets the sum of criteria points it supports
6- Generate ranking based on the result
[Re-develop a graphic model to provide a step-by-step process for matching an organization’s risk profile to a specific platform].
Run a practical demonstration: show participants how to install a secure messaging app you consider to be most appropriate for the audience, how to send a message and/or start a call, and how to enable 2FA.
E. Legal limitations of encryption and VPN tools (5 min)
Based on research done in advance, share with the participants legal restrictions on the use of encryption and/or VPN (if any) in the country(-ies) in which they operate or to which they travel frequently. Sites such as this can help in this regard.
F. Using VPN (optional, 10 min)
Share with the participants that while encryption hides the content of your communication, it cannot hide the fact that you are communicating, who you communicate with, and how often you do so. Explain what metadata is and how much information it can reveal.
Tell the participants that if they want to hide all their network traffic from Cyber Criminals, VPN may be useful. Explain briefly how VPN works, using the following analogy: VPN provides as close as you can realistically get to a direct and hidden cable for communication between you and those with whom you need to exchange digital information. In this sense, VPN provides an additional layer of protection for your communication – and a layer that is thicker than the one provided by encryption alone. The downside to using a VPN is that the provider then also knows everything about your communications. This means that you need to choose a provider carefully.
Mention that while there are many VPN services on the market, it is important to only use those services that are considered secure and trustworthy. Instead of protecting your communications, an untrusted VPN service can expose your communications and data to an even greater risk of interception.
Recommend two to three reliable VPN services.
[Services such as ProtonVPN and TunnelBear have been useful in the past, but consult the EFF article here to explain that there are many factors to consider in selecting a provider. Also be aware that services are constantly changing, as should your recommendations. Include a basic demonstration of how a selected VPN service works.]
G. Wrap-up (5 min)
Provide a brief summary of practical skills that the participants should have learnt during the session.
Ask participants if they have any questions, answering the questions when possible or pointing them to online resources when the questions are not relevant to the rest of the group.
Distribute handouts or links to electronic versions with step-by-step practical guides on the most common technical issues the participants are known to encounter.