quarterly report information safety & capacity (isc) project
TRANSCRIPT
Quarterly Report
Information Safety & Capacity (ISC) Project
Leader Cooperative Agreement Number: FD-A-00-09-00141-00
Associate Cooperative Agreement Number: AID-OAA-LA-11-00008
Period: July 1, 2019 – September 30, 2019
FY2019
Submitted To: USAID/DCHA
Grantee: Counterpart International
2345 Crystal Drive
Arlington, VA 22202
Contents
Acronyms ...................................................................................................................................................... 2
About the ISC Project .................................................................................................................................... 3
Executive Summary ....................................................................................................................................... 3
Successes and Highlights Under Objective 1 ................................................................................................ 3
2019 ISC Global Workshop ........................................................................................................................ 3
Digital Security Trainings and Assistance .................................................................................................. 5
Successes and Highlights Under Objective 2 ................................................................................................ 6
Successes and Highlights Under Objective 3 ................................................................................................ 7
Successes and Highlights Under Objective 4 ................................................................................................ 7
Reflections on ISC's Service Delivery ............................................................................................................ 8
What’s Working ........................................................................................................................................ 8
Obstacles ................................................................................................................................................... 8
Latest Threats ............................................................................................................................................ 9
Country Context and Emerging Changes ...................................................................................................... 9
Asia ............................................................................................................. Error! Bookmark not defined.
Balkans .................................................................................................................................................... 10
Nicaragua ................................................................................................................................................ 10
Tanzania .................................................................................................................................................. 10
Looking Ahead ............................................................................................................................................. 11
Acronyms
AOR Agreement Officer Representative
CSO Civil Society Organization
DSS Digital Security Specialist
DDoS Distributed Denial-of-Service
FY Fiscal Year
ICT Information and Communications Technology
IGIF Internet Governance, Internet Freedom
ISC Information Safety and Capacity
ISP Internet Service Provider
IT Information Technology
LGBTQ Lesbian, Gay, Bisexual, Transgender/Transsexual, and Queer/Questioning
LP Local Partner
MitM Monster-in-the-Middle
NGO Nongovernmental Organization
TOT Training-of-Trainers
VPN Virtual Private Network
About the Information Safety and Capacity Project The ISC Project provides capacity building and information security assistance to civil society activists,
human rights defenders, and journalists operating in non-permissive environments around the globe. To
support those stakeholders in securing their online and mobile communications so they can safely
engage in the online civic space, the ISC Project provides mentoring and technical assistance within the
framework of the following four objectives:
Objective 1: Improve ICT security capacity of local partner organizations;
Objective 2: Engage with specialized audiences and marginalized populations through outreach
and partnership development;
Objective 3: Foster the development of improved technology-based solutions to information
security threats; and
Objective 4: Enable civil society stakeholders to advocate on behalf of internet governance
issues and/or legislation.
Executive Summary ISC digital security specialists (DSSes) trained 354 individuals, most of whom were first-time trainees on
digital hygiene basics such as secure online communications, browsing the internet safely,
circumventing censorship, and using tools designed to protect their civil society work or independent
reporting. ISC DSSes provided technical assistance and support to 37 local partner organizations.
ISC conducted three Training of Trainers (ToT) workshops for expanded the capacity of 26 people who
developed advanced digital security skills and learned new facilitation techniques.
Two advocacy grants under the internet governance, internet freedom (IGIF) objective closed this
quarter: a grant on data policy recommendations in Ukraine and another for a perception survey of
internet users in Sri Lanka on online security risks.
ISC hosted its annual Global Workshop, expanding participation to include over 75 attendees from 26
countries. Over three days, participants discussed cyber security challenges and emerging threats in
their countries, shared digital security tools, and discussed strategies to advance IGIF policy advocacy.
ISC made personnel changes – welcoming a new Chief of Party, Eric Johnson (20 years of internet
freedom project experience in 50 plus countries) and Deputy Chief of Party, Nurhan Kocaoglu (10 years
of experience managing the administration of donor-financed, good-governance projects).
Successes and Highlights Under Objective 1 2019 ISC Global Workshop The ISC organized its annual Global Workshop in Nairobi, Kenya from July 15-17, 2019. Human rights
defenders, journalists, and activists were provided with a unique platform to meet with leading digital
technologists, forage new partnership, strengthen existing ones, and share regional experiences.
Workshop session topics ranged from strategies on how to advocate for a free, open, inclusive, secure,
and democratic Internet, to the ramifications that digital
surveillance and disinformation campaigns have on civic
spaces. The event covered the most up-to-date and relevant
trends and threats in the information security and Internet
governance fields, while gathering leaders in the tech industry
to pair them with frontline activists.
The first day of the workshop featured a series of regional conversations aimed at describing the current
operating environment of our local digital security and IGIF partners in Sub-Saharan Africa, Latin
America, Europe, and Asia. By tracking changing levels of resistiveness and openness, as well as
identifying where progress has been made or proved impossible, participants were able to gain
important lessons learned from their peers and formulate cross-cutting resistance techniques. The latter
half of the day was comprised of our Geek and Greet session, which included product demos and case
study highlights from our technology partners CrossCheck International, Equalit.ie, GreenHost, JigSaw,
Microsoft, Mozilla, and Ushahidi. Ensuring that tool developers are engaging with our local partners (and
vice versa) is key to forming beneficial public-private partnerships.
On the second day, participants led peer-to-peer skill sharing sessions on topics they are passionate and
knowledgeable about, such as new cyber defense products and innovative policy advocacy practices. For
example, there were presentations on digital security applications aimed at securing journalists’ online
communications and a gamification training tool for civil society organizations which helps them
administer their own digital security audits.
The third day of the workshop was spent in facilitated conversation about new and ongoing digital
security threats with the goal of sharing local responses and approaches to combating these issues. 86
percent of attendees responded that they felt threats were similar across all regions represented,
especially within these categories:
• Online intimidation and hate speech
• Lack of access to safe Internet
• Network shutdowns
• Surveillance
• Harmful legislation
• Digital divide and poor ICT infrastructure
• Desire of state to control and regulate citizens
• Restricted freedom of expression
• Organized state trolling and disinformation
• Censorship
• Low trust in journalism
• Extremely rapid and recent expansion of state monitoring and filtering capabilities
Attendees put forward solutions that focused on: practices for keeping data secure; maintaining
feedback loops between activists, civil society organizations, and international development
practitioners; mainstreaming cybersecurity and Internet rights for the masses; and launching
advocacy/lobbying campaigns against repressive information laws and cyber-censorship.
The workshop concluded with a Regional Horizon Scanning dialogue which aimed at generating ideas on
countermeasures and responses to digital security threats that are likely to arise in the coming months.
The outcome of the dialogue was a “wish list” for future programming and ISC support to local partners
in FY20. Participants felt energized by the connections made with colleagues and uncovering similarities
in the obstacles they face, and they requested more regional conferences be organized to create
Global Workshop Participants
26 countries represented
39 local digital security partners
14 technologists from the private sector
5 IGIF experts
opportunities to learn from each other and meet more and varied technologist or developers. The
workshop evaluation surfaced what participants found most beneficial from the event.
Digital Security Trainings and Assistance ISC DSSes trained 354 individuals; 150 of whom were female and 70 percent of whom were considered
youth. Overall, participants increased their digital security skills by 52 percent, according to pre and post
workshop evaluations. Many of these trainings centered on common, basic steps that organizations and
activists can take to secure their work online and operate free from viruses, government surveillance, or
hacking.
Local partners do not get hacked
• In Bangladesh, 4 members of BD-26, 7 Members of BD-18, and 7 members of BD-9 (all human
rights defenders) participated in a basic digital security training that covered two-factor
authentication, how to use a virtual private network, discovering device vulnerabilities,
recognizing phishing attempts and malware, and ensuring system updates and data security.
• In Bosnia and Herzegovina, 23 participants from an election monitoring organization (BA-01)
and LGBTQ organization (BA-16) were trained on similar basic digital security and awareness.
Local partners get fewer software viruses
• In Cambodia, KH-9, KH-28, KH-45 encountered a series of viruses resulting from unlicensed
software. An ISC in-kind grant gave them official software with automatic system updates.
• In Bangladesh, ISC gave in-kind grants for 75 Bitdefender GravityZone licenses and 27
Bitdefender Mobile Security for Android licenses were provided to BA-01 to protect the
organization’s devices from common viruses.
• In Tanzania, 28 citizen journalists (TZ-04) received anti-virus software.
Local partners have better privacy practices
• In Cambodia, a network of Cambodian CSOs (KH-27), convened a stakeholder meeting (attended
by ISC’s local DSS) and adopted Pshipon as the main VPN provider for all organizational devices.
Local partners have secure communication
• ISC’s Balkan DSS was asked by MK-08 (an LGBTQ support center) for a secure way to
communicate via group chat in advance of next year’s Skopje Pride Parade (they experienced
leaks in some their online communication). They plan to utilize Signal moving forward.
• 31 local partners in Bangladesh were instructed on how to establish safe communication online
through the use of secure chats, messaging applications, and private video conferencing.
• A group of human rights defenders in Cambodia (KH04), a high-risk partner, faced phone
tapping in the past but ISC’s security audit exposed the vulnerability and they now use Signal.
Local partners have a digital security policy
• In Bangladesh, BD-18, a CSO platform, took the initiative to work on a digital security guideline
this quarter with support from the ISC’s DSS. BD-18 is a platform for dozens of organizations
with unique internal policies and the guidebook will ensure coordinated security practices.
• Graduated LP in Tanzania, TZ-08, developed a digital security policy for nine CSOs to safely guide
the use of ICT infrastructures within their respective organizations.
Local partners have a secure system/network
• In Tanzania, TZ-11 received an in-kind grant to procure a SOPHOS XG 125 firewall to protect
their network against unwanted traffic, as well as Intrusion Detection and Prevention System for
further network protection. These measures were set in place after the ISC Tanzanian DSS
discovered that the LP was facing close surveillance by state actors.
• A Tanzanian women’s media organization (TZ-07) received an in-kind grant to restructure its
LAN set up and put more security measures in place by configuring a firewall for their office
traffic and installing an intrusion detection system.
• 8 local partners in Ecuador had their network systems audited by the in-country DSS this quarter
who made suggestions on more secure hardware and software, as well as safer ISPs.
Local partners respond to or prevent digital security threats
• In Tanzania, graduated LP TZ-08 was awarded a grant to advance ongoing work to increase
CSOs’ digital security knowledge in Tanzania. Two objectives were completed this period: 1)
Conduct a security audit and assessment of staffs’ digital security awareness for nine
organizations, and 2) Develop a findings report and draft action plan aimed at fixing current
threats and preventing future vulnerabilities. They uncovered very low digital security capacity
and awareness among CSOs, who are facing dangerous hacking and surveillance by state actors.
Successes and Highlights Under Objective 2 ISC seeks to provide focused support to specialized and marginalized communities who face digital
security threats that are specific or heighted due to their already precarious situation within society.
Women, youth, indigenous populations, religious minorities, and LGBTQ organizations are trained and
mentored within each of the project’s focus countries.
Journalists are better able to investigate digital security threats
• In Cambodia, KH-9 received basic digital security trainings and continued mentorship from ISC, and their professional and citizen journalists are now able to investigate digital security threats and publish findings anonymously online.
• 29 journalists from TZ-4, a rural press club in Tanzania, did a three-day capacity training on securing their online communication with colleagues and sources and circumventing blocked websites to conduct investigative research and publish their findings safely online.
Marginalized groups are better able to understand and mitigate digital security threats in their
communities
• Indigenous groups in Ratanakiri, Cambodia, represented by KH-3, were using pirated software until the ISC Cambodia DSS conducted a security assessment and assisted the organization to apply for genuine software through partnership with TechSoup.
• In Bangaldesh, 5 hijra community members and volunteers from BD-15 received technical support in configuring their organization’s Facebook security settings and installing malware removal tools. This was follow-on assistance after receiving training on online threats and how to fix vulnerabilities.
Specialized and/or marginalized communities build strong, sustainable, mutually supportive
networks with respect to understanding and mitigating digital security threats
• In Bangladesh, KH-3 and KH-25 conducted digital security trainings for their network partners, including youth organizations, indigenous conservation groups, and a pro-environment CSO, in very remote areas of the Kampong Thom and Preah Vihear provinces.
• Two basic digital security trainings were done in Tanzania for a rural and women’s-focused press club with special emphasis on the unique vulnerabilities that women journalists face and how to defend against them with the support of male colleagues.
Successes and Highlights Under Objective 3 Tools are tested by local partners (end-users) and feedback goes to developers ISC’s local partners who are trained by DSSes are taught how to evaluate digital security tools, not
simply told which services and applications to use. ISC worked in close coordination with Psipho to test
and provide feedback on the usability of its VPN service around the world, and in exchange Psiphon
created an add-free version of the VPN for ISC staff and local partners.
ISC effectively runs technology grants ISC issued a fifth call for proposals for small technology grant funding that aims to help improve existing
tools and/or services that will benefit ISC’s local partners. ISC received responses from ten organizations,
five are being considered for funding: Great Fire, TAILS, Nothing2Hide, the Briar Project, and the
Guardian Project. Projects in 2020 will include: updates for resource websites, translation of existing
applications into new languages, and improving the code of certain tools operating via Bluetooth.
Successes and Highlights Under Objective 4 Local partners increased understanding or awareness of Internet policy among its target group Ukraine’s Digital Security Lab (DSL) contributed to a number of legal strategy developments through
the CSO consortium Free Net Ukraine Coalition, which supports internet freedom litigation. A recent
example is the case of Enigma.ua, an online media page that was 1 of 18 sites blocked by the Pecherskyi
District Court (Kyiv) in July 2019 for alleged intellectual property violations. The case is currently being
litigated in the Kyiv Appeal Court by Free Net UA Coalition member and former IGIF partner and Human
Rights Platform lawyer, Oleksandr Burmagin, with assistance from DSL. The Digital Rights Agenda, a set
of recommendations for best practice policy adoption was developed by DSL and shared during an
expert discussion with lawyers and human rights defenders in Kyiv with the aim of finalizing and using it
as an advocacy resource to inform policy-driven initiatives and influence public authorities.
Perceptions and Experiences of Online Security and Privacy by Internet Users in Sri Lanka, a study
conducted by partner LIRNEasia made several key findings among Sri Lankan Internet users: Generation
Z (born after 1995) Internet users find it easier to make use of the Internet than for Generations X (born
between 1960 – to 1980) and Y (born between 1981 – 1995) Internet users; Generation X and Y females
progress slowest, while males in the same Generation are somewhat better - Generation X and Y
females are the most dependent and restricted Internet users; and ‘privacy’ and ‘security’ are terms
which are used interchangeably by Internet users, although both of these concepts are not considered
very important by those surveyed. Through ISC support, the Sri Lankan portion of the study will
contribute to the International Development Research Center’s (IDRC) ongoing research project to
examine regional practices in Asia.
Reflections on ISC's Service Delivery What’s Working ISC’s methodology has been adapted, refined, and localized throughout its almost decade-long period of
implementation. The core model of support continues to focus on providing tailored support to human
rights defenders, marginalized groups, and independent media. ISC’s comprehensive model combines
immediate, short-term assistance with long-term, sustainable support.
• ISC starts with an organization-wide security audit of all new LPs, local DSSes identify critical
areas of insecurity and immediately begin the process of providing in-kind grants for key
hardware and software purchases.
• DSSes also assess LPs’ capacity for adopting safe practices online through site visits and train LPs
to raise awareness and digital security skills among the organization’s personnel.
• After assessment and planning, DSSes mentor LPs and provide technical assistance while the
organizations build and deepen in-house security expertise, often through ISC’s ToT program.
Trust, local networks, and collaborative relationships are part of the project’s approach to working
through and around the complexity of political, social, and cultural contexts. ISC has spent years
identifying, building, and maintaining relationships with local experts and cultivating connections with
social media platforms and technology companies. These relationships are critical to the ISC’s success in
helping civil society organizations put in place better digital security practices and restoring safety after
an attack.
Obstacles ISC cannot always provide the level and frequency of support required by our 100+ LPs, especially
because most organizations do not have dedicated IT staff. While ISC’s DSSes are capable of providing
support on an as-need basis, they cannot fulfill the critical role on an internal IT specialist.
ISC’s ToT program is designed to alleviate these pressures by building up a larger cadre of local digital
specialists. This solution has been effective to a certain extent, creating capacity and digital security
skills within organizations, but many LPs require the support of an in-house, basic IT expert. Ultimately,
ISC can only make lasting changes with LPs who are investing in these staff and solutions.
Latest Threats Internet communication technologies (ICTs) are being wielded against human rights activists, journalists,
and civil society organizations by authoritarian actors. Demand for the ISC’s digital security training is
increasing as the frequency and sophistication of these threats evolve and become more widespread.
ISC’s LPs face digital security threats including online surveillance, cyber censorship, unlicensed
software, mobile device insecurity, online harassment, privacy of data, and equipment confiscation.
Illegal Surveillance From Latin America, to the Balkans, and Sub-Saharan Africa, authoritarian leaders have purchased
increasingly sophisticated surveillance technology to better track and regulate citizens.
Trolling, Doxing, and Disinformation These tactics are on the rise as state actors try to shape public debate and perception, often drowning
out independent voices who attempt to uncover corruption or speak out against other injustices.
Harmful legislation Cybercrime laws in Bangladesh, Cambodia, and Tanzania have been used to prosecute marginalized
groups and independent journalists under dubious claims of religious defamation, harming cultural
sensitivities, and even terrorism.
Online and Offline Violence against HRDs and Journalists Activists and journalists in autocratic countries face daily threats of violence against their person and
devices. Para-police groups carry out extrajudicial attacks in the form of harassment, detention,
defamation, and confiscation of equipment.
Country Context and Emerging Changes Bangladesh Media reports surfaced this quarter providing evidence that the Bangladeshi state is now equipped to
monitor, block, and filter online content, including posts published on social media. The Department of
Telecom (DoT) has developed a system under the “Cyber Threat Detection and Response” project which
will be used for around-the-clock monitoring of hundreds of different sites at a rate of about 1,200gbps.1
Law enforcement agencies have similarly tasked the DoT to block content which they deem as
derogatory or harmful. Civil society groups and independent journalists fear that such monitoring will
have a deafening effect on oppositional views and the work of marginalized groups like LBGT
organizations, which are already considered ‘anti-religious’ under a religious defamation law.
1 https://www.thedailystar.net/frontpage/bangladesh-govt-can-now-monitor-block-filter-online-facebook-contents-1802497
Cambodia Scoring 55/100 (partly free) in Freedom House 2018 Freedom on the Net report and 143 in the World
Press Freedom Index, Cambodia is considered a high-risk nation for cybercensorship and attacks to
freedom of expression. This year, the government issued an inter-ministerial “prakas” (or proclamation)
which lays the groundwork for future blocking and filtering of online content. This new anti-cybercrime
law has raised concerns that it will negatively affect independent media, as the country is taking aim at
Facebook users who are community activists and opposition supporters are increasingly subject to the
same pressures as the traditional media. Recent findings of Media Ownership Monitor Cambodia project
shows that about 95 percent of Cambodia’s media outlets are now affiliated with the government and
ruling party. Cambodians now only have access to news provided by major media groups directly linked
to Hun Sen, such as the online news agency Fresh News, which pumps out pro-government propaganda.
Only the Voice of Democracy network, whose radio station was closed, tries to resist on social networks
by streaming live on Facebook. Journalists who still dare to conduct investigative reporting on subjects
the regime dislikes (such as prostitution of minors) are imprisoned.
Balkans HUAWEI is making strong entrance into the Balkan markets and has begun selling their surveillance
technology to regional governments. The telecommunications company has entered into an official
partnership with the Government of Serbia and there are indications that they might do the same with
the Government of the Republic of Srpska Entity in Bosnia and Herzegovina. In Belgrade, HUAWEI has
already started installing cameras for facial recognition and tracking.2
Courts in North Macedonia charged a number of high-profile businessmen with extortion in a
corruption case that also implicates former special prosecutor Katica Janeva. Janeva and the
businessmen were caught trying to blackmail one another with recordings unlawfully obtained by the
previous government through its illegal surveillance program that targeted over 20,000 individuals. The
case reveals how the surveillance scandal continues to hinder anticorruption efforts and puts into
question the security of data collected by the previous regime.
Nicaragua Throughout 2019, numerous cases of abuse and digital attacks perpetrated by state actors in Nicaragua
against our beneficiary groups, private companies, and other opposition groups not serviced by the
project. Political polarization has exacerbated cases of human rights violations in a number of notable
ways; ISC’s local DSS discovered multiple instances where LPs’ computers/hardware were confiscated
from their offices, social media accounts were taken down after state trolls falsely flagged them for
inappropriate content, and DDOS attacks occurred against at least four independent media websites.
Tanzania The passing of a new Miscellaneous Amendment Act 2019 has severely restricted the working
environment for most local partners in Tanzania. The Miscellaneous Act limits the amount of funding a
non-profit organization can receive from abroad and forces CSOs to reveal their donors, as well as a list
2 https://eu.usatoday.com/story/tech/2019/10/16/huawei-surveillance-cameras-spread-china-serbia-and-elsewhere/3995561002/
of intended projects. This lack of privacy has led to the closure of certain projects that the state deems
‘inappropriate’, especially those related to election monitoring or which support LGBTQ communities.
As with many authoritarian countries, state actors are partnering with private companies to increase the
complexity of their surveillance software and techniques. For instance, MNO and Vodacom have been
accused of selling customers’ data to the state without prior consent citing reasons of ‘national security’.
These tools and techniques have been used disproportionately against human rights defenders and
journalists. ISC’s DSS in Tanzania discovered using an OONI Probe that Vodacom was blocking Signal for
an LP activist. Similarly, during a LP assessment, the DSS uncovered that certain ISPs were surveilling and
censoring staff’s browsing as websites couldn’t be reached from their network and users were not given
full access to their network devices’ C-Panel or Hosting root account. ISP companies have implied that
they are forced to comply with state demands or risk having their business licenses revoked.
Looking Ahead In ISC’s ninth and last year, the project will continue its successes and evolve by significantly expanding
the number of countries in which it is engaged. Local DSSes are being hired in:
• Albania • Armenia • Azerbaijan • Georgia
• Kazakhstan • Kosovo • Montenegro
• Mozambique • Serbia • Tajikistan • Zambia
Expansion countries were prioritized based on assessments of cyberthreats, ease of the operating
environment, prevalence of potential local partners, and Internet freedom trends. ISC conducted desk
research, tapped staff knowledge, networked at international events, and consulted USAID to select the
countries. In these new and current counties, ISC DSSes or ToT graduates are expected to conduct at
least one training for LPs and one ToT every month. This ambitious scaling effort will build up a strong
presence of local digital security expertise to ensure the sustainability of ISC efforts as the project closes.
Adding to work under objective 3, ISC is developing tools to will help cybersecurity trainers do their job
more efficiently and effectively. For example, work is underway to develop a monster-in-the-middle
attacks (MitM) solution by creating a Trusted Certificate Checker to improve the online safety of our LPs.
Under objective 4, FY20 onward will shift direction towards countries that exhibit a certain degree of
increased political openness. Past grants (2017-2019) focused on gaps in research, knowledge, capacity
building. The FY20’s multi-stakeholder governance model for selecting proposals will focus on direct
policymaker-facing advocacy. This shift will help ISC support counter restrictive Internet laws and
support policies to promote a free and open Internet in targeted countries where the government has
adopted, or is considering adopting, laws or policies that obstruct Internet freedom. ISC will award and
manage subgrants to at least six and as many as ten domestic Internet freedom policy advocacy grants
to local implementers in Armenia, Georgia, Indonesia, Mozambique, Zambia, Ukraine, Zimbabwe,
Bangladesh, Ecuador and other developing countries. Concept notes will be accepted on a rolling basis
until our resources have all been (well-)used.