Secure messaging apps like Telegram have become an increasingly important part of NGO and civil society work in many countries.
What makes CIPE’s programs stand out is the caliber of our partners. From developing the first ever local business agendas in Ukraine, sparking economic policy debates for the first time in Nepal, to leading the private sector cooperate with local governments and security forces to combat insecurity in Tijuana, Mexico, CIPE partners around the world are doing tremendous work to create a more sustainable democratic and economic communities.
During this process, however, many of them face risks while operating in challenging – and sometimes dangerous – environments. It may be because they exist in countries where civil society is facing a challenge; or it might because powerful companies are closely tied with the ruling political party. Whatever the reason, CIPE understands that all our partners take risks by challenging the status quo. To this end, CIPE has supported our partners to maneuver in difficult environments by equipping them with mobile or online tools that could lower their risks.
NOTE: As you explore the tools, please keep these points in your mind.
- Despite the sophistication of the tools mentioned below, organizations should not rely solely on digital security for their safety, even if they are being careful. Many authoritarian governments are digitally savvy, so in some environments it is impossible to be 100% secure. Organizations should make sure they are following all the laws and regulations (even if they are burdensome), and that they are not communicating in ways that would put individuals at risk, even if they were compromised.
- Carefully review and understand the privacy policies of any tools before using them.
- Adopting new technology is like a behavior change – it takes time and effort, so be patient if your organization decides to adopt and use one of the tools for your organization.
The following are some suggested tools and strategies that CIPE has shared with our community. They are common threats and risks associated with using certain ICTs, as well as possible products and strategies to consider using to improve your organization’s security measures.
For messaging/chat services
Common risks/recommendations for messaging/chat services:
- Most messaging services lack encryption – pick an app that offers end-to-end encryption
- Avoid using the messaging services through open networks, such as WiFis in cafes and public places
Possible products to consider:
- Telegram is an interesting app. It’s a free app that offers end-to-end encryption and is thus secure. It also has a channel feature where you can blast a message to several people who subscribe to the channel. There are “supergroup chats” where you can have up to 5,000 participants. What’s also great is that it has a self-destruct mode where you can set a timer to an individual message, and it automatically disappears. Watch the tutorial video for the app here.
- Whatsapp recently adopted end-to-end encryption system, making it another secure way of messaging with others. It’s not free ($0.99/year) but one of the advantages is it has over 1 billion users worldwide. You can use the app more securely by locking the app (such as with ChatLock), blocking photos from photoroll, hide the “last seen” option, or setting the profile picture to “contacts only”.
Note: both Telegram and Whatspp require smart phones and data or Wi-Fi to connect.
For email
Common risks/recommendations for email systems:
- Common threats for email security includes: malware, email interception, weak passwords, spamming, phishing/spear phishing
- Some ways to manage these common problems include: no opening suspicious emails/links, take note of where you use your email address (i.e.: sign ups on websites), use more secure/stronger passwords, do not reply to SPAM
Possible products to consider:
- ProntonMail is an email system (free for up to 50 MB storage space and up to 150 message/day; for large storage space and more email frequency, must upgrade to a fee-based version) that provides automatic email security (end-to-end encryption). Its features include self-destructing emails, and double-password security. Emails can be sent from Gmail, Outlook and other platforms. One caution of note that while it is difficult, it is possible to decrypt emails on ProntoMails.
- Tutanota is a German-based email system that also offers end-to-end encryption. The system is free for one user (one email account) up to 1 GB and must use a Tutanota domain only. If you’d like to add multiple users to the account (have multiple email accounts for a company/organization), then the fee is €1 per month per user, for up to 1 GB per user, and cause use your own domain or use Tutanota domain. It is open sourced, and offers local encryption (on devices). Watch the tutorial video for Tutanota here.
For storage space
Common risks/recommendations for storage space solutions:
- Common threats to storage services are user error and insider activity
- Possible threats include compromised credentials (usernames, passwords), lack of encryption, and the more users who use a certain storage stage = the higher the possibility to attract more hackers
- To counter these risks, consider: creating stronger passwords, have your IT department audit all connected devices, spread sensitive data between different storage spaces, and review of what is being shared.
Possible products to consider:
- If you already use a certain cloud-based storage space (such as Dropbox, Microsoft OneDrive, Google Drive, etc.), which are not entirely secure, you can add an extra layer of protection. Such as:
- Use a two-step authentication process
- Add a third party encryption (such as Boxcryptor, which encrypts data on devices before they are synchronized to the cloud)
- Spideroak is an increased security cloud-based storage service. It offers up to 2GB of free trial for 60 days (after that, it’s $7/moth for 30 GB or $12/month for 1 TB), has zero knowledge encryption (means your data is 100% private and only readable by you), does not store users’ passwords nor encryption keys; storage redundancy savings, and syncs across all devices. Watch the tutorial video for Spideroak here.
All of these suggested tools been around for at least 5 years, which is a good sign because that means the products are well vetted and well-funded. Often you read and hear about new apps or solutions created by startups, but they do not stick around for various reasons — or they have serious flaws which are only revealed as they are more widely adopted. As you come across new technologies, be mindful that one of the key factors to consider is whether the app itself will be around for longer than a year.
Also, it’s ultimately up to the individual organization or team to determine which tools are viable or fits into the overall IT system of the organization. Play around with the suggested tools above, and see what works best for your specific program, team, or organization!
Maiko Nakagaki is a Program Officer for Global Programs at CIPE.