Global Voices Communication and Safety Guidelines

 As a distributed community, our work will be smoother, safer and more efficient if we all share a basic methodology and set of tools for our communications.

We are all free to use other platforms to talk with fellow GVers, but we should always consider using a safer option when discussing work, especially for any kind of sensitive information (discussed below).

Recommended communication platforms

Email

  • Gmail: Establish and use a Gmail account for everyday email regarding GV work.
  • Tutanota (more secure): Create a free email account on Tutanota and install the Tutanota mobile app to receive notifications of new mail. Tutanota ensures strong privacy when messages are sent between two Tutanota accounts.

Video chat

  • Jitsi (more secure): On-demand video communication with staff or authors. Create a new chat session at https://meet.jit.si for each conversation and invite others. Jitsi requires no sign-up or account, and saves no information about your activities. This makes it safer than options like Skype or Hangouts.
  • Google Hangouts: On-demand video communication with staff or other authors. Use Google Hangouts if Jitsi isn’t working.
  • Skype: Do not use Skype unless absolutely necessary. Skype is uniquely vulnerable to hacking.

Messaging and voice apps

  • Signal (more secure): Use this for real-time communication with staff, volunteers, partners, sources. Use for communication about sensitive information, especially if you need to reach a person quickly.
  • Wire: (secure alternative to Signal, with similar encryption and use-cases)
  • WhatsApp: Use this for real-time communication with staff, volunteers, partners, sources. Can also be used for communication about sensitive information if Signal or Wire will not work*

* Signal and Wire are the top recommended apps for secure, real-time communication today. While WhatsApp is fairly safe, it is owned by Facebook, and we know that the company collects some data about our messages. Signal and Wire collect the minimum information needed to provide the service that they offer. All of these apps are vulnerable to censorship, and some are blocked in certain countries.

Handling and communicating “sensitive” information

If you're discussing sensitive information with another GVer, please ensure you are using the most secure platform possible (i.e. Tutanota for email, and Signal for messaging).

Examples of sensitive information:

  • Information for a story that could generate risk for a volunteer, a staff member, the subject of the story, a partner organization, or GV as an organization
  • Personal information – Anyone's street addresses, telephone numbers, email addresses, personal identification numbers, emergency contacts, etc. including your own
  • Financial information – Bank account numbers or logins, credit card numbers etc.
  • Administrative information – Employee personnel records, electronic documents containing confidential information, legal documents, contracts, passport copies
  • Accounts information – User IDs, passwords, and PIN numbers

Protect your devices and data

All editors owe it to themselves, their teams and the whole GV community to keep their systems safe and up-to-date, as well as following best-practices for storing any sensitive information.

Passwords – VERY IMPORTANT!

  • Use unique passwords for every single login you create, especially for GV communications.
  • Use a password manager like KeepassXC (free) or 1Password (paid) to track and securely store passwords in a vault.
  • Never store passwords within a browser (Chrome, Firefox) password manager. Instead, use the browser extensions for the tools above to securely integrate your vault into apps where  passwords are needed.
  • Only store passwords in encrypted format! Use one of the password managers above or, if you need to store them in another type of file, use Veracrypt to encrypt the file in a secure container.
  • Never share passwords over open channels of communication like email or especially Skype. Ideally use encrypted voice, otherwise use encrypted chat like Signal and ensure both parties delete the password from their message history immediately.
  • Set a screen lock on computers and mobile phones that locks within five minutes of inactivity so no one can hijack your logged-in sessions.
  • Change passwords every six months.
  • Notify a core team member if you suspect any of your Global Voices-related passwords are stolen.

Browsers and web traffic

  • Use Chrome or Firefox browsers as a baseline for all work.
  • Always consider how your web traffic — i.e. websites that you visit — can be “sensitive” or put you in danger. Have a plan to ensure it can't be traced back to you.
  • When in doubt, use Incognito/Private Browsing mode in your browser so that all cookies and web history will be automatically deleted and cannot be found later by someone with access to your computer.
  • Private browsing does not protect you from spying by governments who control internet infrastructure. If you are visiting a site that contains sensitive information, or information that is considered illegal, always use TOR Browser.
  • Tor  (i.e.TorBrowser) should be used for sensitive or dangerous web traffic.  It will anonymize you geographically so that your activities cannot be traced to your location.

Email

  • Use Gmail for everyday GV-related communications.
  • Use GV email groups to share and request information that is appropriate for the broader community to see and share. DO NOT send or request sensitive information using GV email groups.
  • Never send sensitive information over Gmail. Instead use an end-to-end encrypted tool such as SignalJitsi, or the ultra-secure email service Tutanota.
  • Before forwarding an email, always consider whether it includes sensitive information and use a more secure channel as necessary.
  • Actively specify when an email is NOT to be forwarded.
  • Never open attachments from untrusted sources or under suspicious circumstances, as they are the leading cause of viruses and malware.

Mobile phones and tablets

  • Set your devices to lock automatically and require a passcode to be turned on or used.
  • Run software updates minimum once a month, or as soon as critical updates become available.
  • Back up the data on your devices – phone, computer, tablet – at least once per month.
  • Ensure all backups of your data are encrypted.
  • Contact your supervisor if you think there is an infection on your device.

Computer operating systems

  • Set your computer to sleep automatically after a short period of inactivity and require a password to wake up.
  • Run software updates minimum once a month, or as soon as critical updates become available.
  • Run an updated, licensed antivirus software. We recommend Avast antivirus.
  • Back up the data on your devices – phone, computer, tablet – at least once per month.
  • Ensure all backups of your data are encrypted.
  • Contact your supervisor if you think there is an infection on your computer.

Data storage and maintenance

  • Store any sensitive information on your laptop in encrypted directories. Use the free, open source software tool VeraCrypt to create encrypted folders on your computer. If someone steals or confiscates your computer, they will not be able to access the information held in these files, even if they can access everything else.
  • Perform periodic cleanup of all files needed for your work with Global Voices that are stored on your hard drive.
  • Delete anything unnecessary or sensitive that isn't encrypted, including erasing web history, browser caches, and chat logs.
  • Destroy information on hard disks before sending them in for repair or throwing them away.
  • Securely dispose of any physical information (i.e. hard copies of documents related to work, storage media used to store or transfer files, paper documents) when you no longer need it.

GV group lists: Google Groups, Facebook, WhatsApp and RiseUp

  • Join email, WhatsApp and other community groups that are relevant to your work with GV. If you decide you don’t want to be part of a group, tell the group leader.
  • Never send sensitive information to a mailing list or group. If another group member sends sensitive information to the group, remind them that this is risky behavior and ask all group members not to share the information further.

WiFi Networks

  • Change home WiFi account password twice a year.
  • Secure home WiFi with Protected Access II (WPA2) or stronger encryption.
  • When using insecure wifi networks (essentially any unknown/unfamiliar connection), use a VPN or the Tor browser.

Community Support

  • If you get a strange message, your machine is acting weird, or an author contacts you saying that s/he is having this kind of problem, immediately ask for help from any core team member.
  • Communications tools sometimes break or fail to work properly. If this happens, immediately ask for help from any core team member. You don't want these systems to be broken when you need them most. If your own system breaks or fails, use communication tools belonging to trusted people.
  • Remember that when we communicate as a group — on our lists, and within WordPress — each person's habits can affect the whole community. If you have an easy-to-guess password for WordPress, someone could use this to break into our system. If your email is hacked, someone could read many community messages on the Google group. If you think these tips might not matter for you, always think of the community first!

Global Voices logo and a lock icon