Collecting data safely in high-risk countries

It’s an unfortunate reality that human rights advocates and journalists are often at risk of persecution from their governments.

Since these brave and dedicated people are often the same in-country human rights experts we ask to participate in our data collection, it’s really important to us that we safeguard their identities and minimise the chance that participating in HRMI’s data collection process will put them in any extra danger.

HRMI collects two types of sensitive information as part of our data collection, and we have put in place a clear process to collect and store this information securely.

If you’re thinking of participating in our data collection in your country, we want you to know that we take your safety very seriously.

HRMI collects two types of sensitive information as part of our data collection, and we have put in place a clear process to collect and store this information securely.

We store your identifying information securely

The first type of sensitive information is the names and contact details of potential survey respondents. We collect this via an online form on a website with an SSL certificate and secured by https. This means that the names and contact details are encrypted as they travel online.

This encrypted information is sent to our Client Relationship Management (CRM) Software. The CRM is certified to the highest ISO security standards. This ensures all information is captured, managed and retained in an encrypted fashion. Access to this information is restricted to a small team of HRMI staff based in New Zealand, and used only to send out links to the online survey.

We anonymise your expert survey responses

The second type of sensitive information we collect is the responses to our expert survey. Again, this information is collected via online software with an SSL certificate and secured by https, which encrypts all information submitted via the survey.

Neither we, nor anyone else, knows who each set of responses has come from.

Neither we, nor anyone else, knows who each set of responses has come from, and we also have a process for stripping the most sensitive information from these responses before they are summarised into generic metrics and published on our website.

We conduct security audits regularly

We make it a priority to stay ahead of threats, security breaches, and cyber-attacks that could put potential survey respondents’ safety and our reputation on the line. We engage third-party contractors to help keep our systems in check and make sure we are keeping up with best practices. We take security very seriously, and in between formal audits, we have regular team meetings to check in on things like our password security practices and make sure everyone knows how important this is.

What are the risks to our respondents?

Overall, the biggest risk we can see for respondents would be if someone hacks into your email and sees that you have received a survey link from HRMI. A hostile government could then know that you might be contributing to our human rights metrics.

Some tips for protecting yourself from online surveillance

To help potential survey respondents who are concerned about this risk, here’s some information on how to hide your online activity.  

Hide your IP address 

There are two ways of hiding your IP address (the unique internet address of your computer or phone) to protect your online activity:

  • VPNs (Virtual Private Networks) 

A VPN provides you with a public IP address, different from your personal one. 

VPNs can be set up to protect your whole device, not just the traffic that runs through your browser, meaning that other programmes on your device which are using the internet (like desktop email clients) will also be protected by your VPN. Some VPNs are themselves risky to use.

• Some free options: Proton VPN, TunnelBear (limited to 500MB), Hideme (limited to 10GB).
• Some paid options: Express VPN, NordVPN, Surfshark.

It is worth noting that some countries are very critical of VPN usage and try to make it harder to download them, in some cases even by making VPNs illegal. 

You can compare different VPNs here and here.

  • Tor Browser 

The Tor Browser is a free programme you can download onto your computer. 

It lets you use the Tor software, which makes it more difficult for internet activity to be traced back to you by bouncing your communications around a worldwide network of relays run by volunteers. 

Use private WiFi 

Using public WiFi spots is risky, e.g. as explained in the Human Rights Defenders article linked below. A safer option, if you have a good mobile plan (or pocket WiFi if your country allows it), is to create a hot spot from your mobile phone to connect to a laptop or computer. Just make sure you enable a strong password, so no one else can use your data without your permission, and remember to switch off the hot spot when you’re finished.  

Search smart 

When you are using the internet, most browsers (like Chrome, Safari, Firefox, Explorer and so on) keep track of what you’re looking up and where you go on the internet.

When you’re doing something sensitive, set your browser to ‘private’ or ‘incognito’ browsing, and use a secure search engine (like DuckDuckGo) that doesn’t log your information or retain your browser history.

Another tip is to make sure you delete ‘cookies’ from your browser when you are finished browsing the internet. Cookies are small text files that are stored on your web browser that contain information about interactions with different websites. Each browser has different ways of clearing cookies, which you can find easily online (just search for ‘clear cookies Safari’ or something similar). Instructions for Chrome are here.

Use secure email with encryption 

Using a separate, secure email account to talk with us at HRMI is also a good way to protect yourself.

There are many services like this, such as ProtonMail. It is best to have your browser set to private (see above) before using these services. Avoid using personal information when setting these up.  

General Good Practices 

Make sure your devices have good cyber hygiene (both computers and phones)

Only use trusted devices that have been maintained with good cyber hygiene. Make sure you are running and updating the latest versions of your operating systems and apps.

Adopt good standard procedures 

Always lock your screen when you leave the room. Update your software and apps immediately that updates are available. Get into the habit of closing apps and logging off to reduce the chance of accidentally leaving your information open to someone else.

Avoid ‘shoulder-surfers’ 

A ‘shoulder-surfer’ is someone who looks at your computer screen while you are working in order to gain information. To keep your information secure, you can sit with your back against a wall, or turn your screen away from potential viewers.

Use anti-virus protection 

Make sure that anti-virus software has been installed on your device.  

Use multi-factor authentication and password managers 

Two more ways to keep your information secure are:

  • Multi-factor authentication. This is where a service such as your email account asks for a password, and also sends a separate code to your phone or your authentication app. We recommend authentication smartphone apps such as FreeOTP, Google Authenticator or LastPass Authenticator over SMS/text based multi-factor authentication. Many services will ask you if you want to enable this when you set up your account. Our advice is that you opt for this feature where the option is provided.
  • Password managers, such as LastPass and KeePassXC, so you can use complex passwords without having to remember them.

For more detail on our security policy, please click here.  Front Line Defenders also provide this excellent summary of tips for protecting yourself.

If you have any other security questions or concerns, please contact us. 

Thanks for your interest in HRMI. You are also most welcome to follow us on Twitter, YouTube and Facebook, and sign up to receive occasional newsletters here