Communication and Safety at Global Voices

As a distributed community, our work will be smoother, safer and more efficient if we all share a basic methodology and set of tools for our communications. We are all free to use other platforms to talk with fellow GVers. But we must use the safer options listed here when discussing work, or anything sensitive.

Recommended communication platforms for all GV contributors

Email
• Gmail: Establish and use a Gmail account for everyday email regarding GV work.
• Tutanota: Create a free email account on Tutanota and install the Tutanota mobile app to receive notifications of new mail. Tutanota ensures strong privacy when messages are sent between two Tutanota accounts.

Video chat
• Jitsi – On-demand video communication with staff or authors. Create a new chat session at https://meet.jit.si for each conversation and invite others. Jitsi requires no sign-up or account, and saves no information about your activities. This makes it safer than options like Skype or Hangouts.
• Google Hangouts – On-demand video communication with staff or other authors. Use Google Hangouts if Jitsi isn’t working.
• Do not use Skype, if possible – Skype is uniquely vulnerable to hacking.

Messaging and voice apps
• WhatsApp – Use this for real-time communication with staff, volunteers, partners, sources. Can also be used for communication about sensitive information if Signal or Wire will not work*
• Signal – Use this for real-time communication with staff, volunteers, partners, sources. Use for communication about sensitive information, especially if you need to reach a person quickly.
• Wire (alternative to Signal) – Use this for real-time communication with staff, volunteers, partners, sources. Use for communication about sensitive information, especially if you need to reach a person quickly.

* Signal and Wire are the top recommended apps for secure, real-time communication today. While WhatsApp is fairly safe, it is owned by Facebook, and we know that the company collects some data about our messages. Signal and Wire collect the minimum information needed to provide the service that they offer. All of these apps are vulnerable to censorship, and some are blocked in certain countries.

Handling and communicating “sensitive” information

If you're discussing sensitive information with another GVer, use a more secure platform (i.e. Tutanota for email, Signal for messaging) for your communications.

Examples of sensitive information:

  • Information for a story that could generate risk for a volunteer, a staff member, the subject of the story, a partner organization, or GV as an organization
  • Personal information – staff and contributors’ addresses, telephone numbers, email addresses, personal identification numbers, emergency contacts, including your own
  • Financial information – bank account numbers, credit card numbers
  • Administrative information – employee personnel records, electronic documents containing confidential information, legal documents, contracts, passport copies
  • Accounts information – User IDs, passwords, and PIN numbers

Protect your devices and data

All editors owe it to themselves, their teams and the whole GV community to keep their systems safe and up-to-date, as well as following best-practices for storing any sensitive information.

Passwords – VERY IMPORTANT!
• Use unique passwords for every single login you create, especially for GV communications.
• Use a password manager (KeepassX or 1Password) to track and securely store passwords.
• Never store passwords within a browser (Chrome, Firefox) password manager (tools above have browser plugins that are safer, and work much better).
• Only store passwords in encrypted format! See password managers above or use Veracrypt if neccesarry.
• Never share passwords over open channels of communication like email or Skype.
• Set a screen lock on computers and mobile phones that locks within five minutes of inactivity so no one can hijack your logged-in sessions.
• Change passwords every six months.
• Notify a core team member if you suspect any of your Global Voices-related passwords are stolen.

Browsers
• Use Chrome or Firefox browsers as a baseline for all work.
• Always consider how your web traffic — i.e. websites that you visit — can be “sensitive”. Have a plan to ensure it can't be traced back to you.
• When in doubt, use Incognito/Private Browsing mode in your browser so that all cookies and web history will be automatically deleted and cannot be found later by someone with access to your computer.
• Private browsing does not protect you from spying by governments who control internet infrastructure. If you are visiting a site that contains sensitive information, or information that is considered illegal, always use TOR Browser. Tor will anonymize you geographically so that your activities cannot be traced to your location.

Email
• Use Gmail for all GV-related communications.
• Use GV email groups to share and request information that is appropriate for the broader community to see and share. DO NOT send or request sensitive information using GV email groups.
• Never send sensitive information over Gmail. Instead use an end-to-end encrypted tool such as Signal, Jitsi, or the ultra-secure email service Tutanota.
• Before forwarding an email, always consider whether it includes sensitive information and use a more secure channel as necessary.
• Actively specify when an email is NOT to be forwarded.
• Never open attachments from untrusted sources or under suspicious circumstances, as they are the leading cause of viruses and malware.

Mobile phones and tablets
• Set your devices to lock automatically and require a passcode to be turned on or used.
• Run software updates minimum once a month, or as soon as critical updates become available.
• Back up the data on your devices – phone, computer, tablet – at least once per month.
• Ensure all backups of your data are encrypted.
• Contact your supervisor if you think there is an infection on your device.

Computer operating systems
• Set your computer to sleep automatically after a short period of inactivity and require a password to wake up.
• Run software updates minimum once a month, or as soon as critical updates become available.
• Run an updated, licensed antivirus software. We recommend Avast antivirus.
• Back up the data on your devices – phone, computer, tablet – at least once per month.
• Ensure all backups of your data are encrypted.
• Use the free, open source software tool VeraCrypt to create encrypted folders on your computer. If someone steals or confiscates your computer, they will not be able to access the information held in these files.
• Contact your supervisor if you think there is an infection on your computer.

Data storage and maintenance
• Perform periodic cleanup of all files needed for your work with Global Voices that are stored on your hard drive.
• Delete anything unnecessary or sensitive that isn't encrypted, including erasing web history, browser caches, and chat logs.
• Destroy information on hard disks before sending them in for repair or throwing them away.
• Securely dispose of any physical information (i.e. hard copies of documents related to work, storage media used to store or transfer files, paper documents) when you no longer need it.

GV group lists: Google Groups, Facebook, WhatsApp and RiseUp
• Join email, WhatsApp and other community groups that are relevant to your work with GV. If you decide you don’t want to be part of a group, tell the group leader.
• Never send sensitive information to a mailing list or group. If another group member sends sensitive information to the group, remind them that this is risky behavior and ask all group members not to share the information further.

WiFi Networks
• Change home WiFi account password twice a year.
• Secure home WiFi with Protected Access II (WPA2) or stronger encryption.
• When using insecure wifi networks (essentially any unknown/unfamiliar connection), use a VPN or the Tor browser.

Community Support

  • If you get a strange message, your machine is acting weird, or an author contacts you saying that s/he is having this kind of problem, immediately ask for help from any core team member.
  • Communications tools sometimes break or fail to work properly. If this happens, immediately ask for help from any core team member. You don't want these systems to be broken when you need them most. If your own system breaks or fails, use communication tools belonging to trusted people.
  • Remember that when we communicate as a group — on our lists, and within WordPress — each person's habits can affect the whole community. If you have an easy-to-guess password for WordPress, someone could use this to break into our system. If your email is hacked, someone could read many community messages on the Google group. If you think these tips might not matter for you, always think of the community first!