Building a Digital Security Exchange

Addressing the digital security gap for U.S. communities at risk

Update: There’s been a lot of progress. For more, and to see the project’s documentation, go here: https://www.digitalsecurityexchange.org/

Last week, I wrote that I’m moving on from Access Now to focus on a project helping the U.S. digital security community be more responsive to the needs of civil society groups and high-risk communities. While many of these groups know they need digital security assistance, they often don’t know who to turn to or who to trust. We’re calling this project the Digital Security Exchange.

In the aftermath of the 2016 election, U.S. organizations big and small have realized they’re at risk of being hacked, surveilled, trolled, and otherwise attacked online — risks that this week’s WikiLeaks dump detailing the CIA’s hacking abilities have driven home. So much infrastructure is vulnerable: Vast databases of constituent information sit in the cloud, state surveillance is eradicating privacy and chilling free speech, and the devices we depend on to communicate have been weaponized against us.

At the same time, existing recommendations can be dizzying. For many users, blog posts on how to install Signal, massive guides to protecting your digital privacy, and broad statements like “use Tor” — all offered in good faith and with the best of intentions — can be hard to understand or act upon. If we want to truly secure civil society from digital attacks and empower communities in their fight to protect their rights, we’ve got to recognize that digital security is largely a human problem, not a technical one. Taking cues from the experiences of the deeply knowledgeable global digital security training community, the Digital Security Exchange will seek to make it easier for trainers and experts to connect directly to communities in the U.S. — building trust and sharing expertise, documentation, and best practices — in order to increase capacity and security across the board.

This project is just getting off the ground, but we already have a stellar working group overseeing its development. It includes:

Ethan Zuckerman , Center for Civic Media at MIT

, Center for Civic Media at MIT Bruce Schneier , Resilient Systems/IBM

, Resilient Systems/IBM Harlo Holmes , Freedom of the Press Foundation

, Freedom of the Press Foundation Sara Haghdoosti , Mozilla Foundation

, Mozilla Foundation Matt Mitchell , cryptoHarlem

, cryptoHarlem Deanna Zandt , Lux Digital

, Lux Digital Matt Holland , Technology Strategist

, Technology Strategist Jamie Tomasello , former Access Now Technology Director

, former Access Now Technology Director Danny O’Brien , Electronic Frontier Foundation

, Electronic Frontier Foundation Nathan Freitas, Guardian Project & Tibet Action Institute

Here are the core components of the project:

Mapping and analyzing need . Before making assumptions about what high-risk communities and civil society organizations need, it’s best to actually reach out and listen, often by coordinating with critical intermediaries working with frontline groups. In addition, members of Muslim American, South Asian, Latino, African American, and other communities have had to respond in real time to digital attacks, and their security expertise has increased accordingly. Therefore, it’s crucial to connect with people who’ve, by necessity, learned the skills they’ll need to fight against online attacks, and to understand what, if any, assistance is needed.

. Before making assumptions about what high-risk communities and civil society organizations need, it’s best to actually reach out and listen, often by coordinating with critical intermediaries working with frontline groups. In addition, members of Muslim American, South Asian, Latino, African American, and other communities have had to respond in real time to digital attacks, and their security expertise has increased accordingly. Therefore, it’s crucial to connect with people who’ve, by necessity, learned the skills they’ll need to fight against online attacks, and to understand what, if any, assistance is needed. Coordinating existing digital security trainers . The community of self-identified digital security experts is large and disparate. While many individuals and organizations are busy assisting users who’ve come in via official or unofficial channels, nearly every trainer I’ve spoken to says they still don’t know how to reach communities that need help. Our bet is that a loosely-coordinated network of trainers will work more efficiently and will be able to pool its time and resources in a way that serves more people in need.

. The community of self-identified digital security experts is large and disparate. While many individuals and organizations are busy assisting users who’ve come in via official or unofficial channels, nearly every trainer I’ve spoken to says they still don’t know how to reach communities that need help. Our bet is that a loosely-coordinated network of trainers will work more efficiently and will be able to pool its time and resources in a way that serves more people in need. Building a digital platform . We’ll need a digital space to build out the networks of trainers and communities in need. To do so, we’re building a digital platform that will include secure databases of digital security trainers and orgs in need, a switchboard to triage incoming requests and connect trainers to orgs and communities, and a means of ensuring that the right trainers — with appropriate cultural competence and fluency — are being paired with the right orgs, and that this pairing is leading to desired outcomes (hardening messaging tools, implementing organization-wide practices, securing sensitive data).

. We’ll need a digital space to build out the networks of trainers and communities in need. To do so, we’re building a digital platform that will include secure databases of digital security trainers and orgs in need, a switchboard to triage incoming requests and connect trainers to orgs and communities, and a means of ensuring that the right trainers — with appropriate cultural competence and fluency — are being paired with the right orgs, and that this pairing is leading to desired outcomes (hardening messaging tools, implementing organization-wide practices, securing sensitive data). Adapting existing documentation. There are a ton of amazing digital security guides out there — EFF’s Surveillance Self-Defense Guide, Access Now’s “A First Look at Digital Security,” Security in a Box, and Martin Shelton’s continually revised “Secure Your Digital Life Like a Normal Person” post on Medium — and each guide serves a different, essential purpose. But even the best guides can be intimidating for people who are new to digital security. That’s why we’ll be working closely with the authors of these guides to convey feedback from the field that could lead to revisions and improvements. That might mean working to create specially-tailored materials, or experimenting with new ways to convey established advice. And feedback will work the other way too: we’ll take the most current advice from the technical experts, and help them distribute it swiftly across the multiple communities.

How you can help:

As we get started assembling these building blocks, we also want to be able to address users’ needs as soon as possible. Here are a few ways you can help: