Collecting data safely in high-risk countries

It’s an unfortunate reality that human rights advocates and journalists are often at risk of persecution from their governments.

Since these brave and dedicated people are often the same in-country human rights experts we ask to participate in our data collection, it’s really important to us that we safeguard their identities and minimise the chance that participating in HRMI’s data collection process will put them in any extra danger.

HRMI collects two types of sensitive information as part of our data collection, and we have put in place a clear process to collect and store this information securely.

If you’re thinking of participating in our data collection in your country, we want you to know that we take your safety very seriously.

HRMI collects two types of sensitive information as part of our data collection, and we have put in place a clear process to collect and store this information securely.

We store your identifying information securely

The first type of sensitive information is the names and contact details of potential survey respondents. We collect this via an online form on a website with an SSL certificate and secured by https. This means that the names and contact details are encrypted as they travel online.

This encrypted information is sent to a dedicated email address hosted by an email service provider based in Switzerland, a country with with very strict privacy laws, and then entered into our Client Relationship Management (CRM) Software. The CRM is certified to the highest ISO security standards. This ensures all information is captured, managed and retained in an encrypted fashion. Access to this information is restricted to a small team of HRMI staff based in New Zealand, and used only to send out links to the online survey.

We anonymise your expert survey responses

The second type of sensitive information we collect is the responses to our expert survey. Again, this information is collected via online software with an SSL certificate and secured by https, which encrypts all information submitted via the survey.

Neither we, nor anyone else, knows who each set of responses has come from, and we also have a process for stripping the most sensitive information from these responses before they are summarised into generic metrics and published on our website.

What are the risks to our respondents?

Overall, the biggest risk we can see for respondents would be if someone hacks into your email and sees that you have received a survey link from HRMI. A hostile government could then know that you might be contributing to our human rights metrics.

However, they would not be able to access what you write in the survey.

Some tips for protecting yourself from online surveillance

To help potential survey respondents who are concerned about this risk, here’s some information on how to hide your online activity.  

Hide your IP address 

There are two ways of hiding your IP address (the unique internet address of your computer or phone) to protect your online activity:

VPNs (Virtual Private Networks) 

A VPN provides you with a public IP address, different from your personal one. 

VPNs can be set up to protect your whole device, not just the traffic that runs through your browser, meaning that other programs on your device which are using the internet (like desktop email clients) will also be protected by your VPN. 

Some VPNs are themselves risky to use. Examples of trusted ones are Private Internet AccessMullvad, and Tunnel Bear. 

Many VPN providers charge a monthly subscription fee. Free VPN services are also available, although they often have limited bandwidth and data allowances. Tunnel Bear’s free option and Rise Up can be good alternatives to paid services if you only need to hide your IP address occasionally. 

It is worth noting that some countries are very critical of VPN usage and try to make it harder to download them, in some cases even by making VPNs illegal. 

You can compare different VPNs here and here.

Tor Browser 

The Tor Browser is a free program you can download onto your computer. 

It lets you use the Tor software, which makes it more difficult for internet activity to be traced back to you by bouncing your communications around a worldwide network of relays run by volunteers. 

Use private WiFi 

Using public WiFi spots can be risky. A safer option, if you have a good mobile plan (or pocket WiFi if your country allows it), is to create a hot spot from your mobile phone to connect to a laptop or computer. Just make sure you enable a password, so no one else can use your data without your permission, and remember to switch off the hot spot when you’re finished.  

Search smart 

When you are using the internet, most browsers (like Chrome, Safari, Firefox, Explorer and so on) keep track of what you’re looking up and where you go on the internet.

When you’re doing something sensitive, set your browser to ‘private’ or ‘incognito’ browsing, and use a secure search engine (like DuckDuckGo) that doesn’t log your information or retain your browser history.

Another tip is to make sure you delete ‘cookies’ from your browser when you are finished browsing the internet. Cookies are small text files that are stored on your web browser that contain information about interactions with different websites. Each browser has different ways of clearing cookies, which you can find easily online (just search for ‘clear cookies Safari’ or something similar). Instructions for Chrome are here.

Use anonymous email 

Using a separate, anonymous email account to talk with us at HRMI is also a good way to protect yourself. Anonymous emails allow you to send messages that can’t be traced back to your identity.

There are many services like this, such as ProtonMail. It is best to have your browser set to private (see above) before using these services. Avoid using personal information when setting these up.  

General Good Practices 

Adopt good standard procedures 

Always lock your screen when you leave the room. Get into the habit of closing apps and logging off to reduce the chance of accidentally leaving your information open to someone else.

Avoid ‘shoulder-surfers’ 

A ‘shoulder-surfer’ is someone who looks at your computer screen while you are working in order to gain information. To keep your information secure, you can sit with your back against a wall, or turn your screen away from potential viewers.

Use anti-virus protection 

Whether you’re using a personal or public device, try to make sure that anti-virus software has been installed.  

Use multi-factor authentication and password managers 

Two more ways to keep your information secure are:

  • Multi-factor authentication, where a service like your email account asks for a password, and also sends a separate code to your phone. Many services will ask you if you want to enable this when you log in.
  • Password managers, such as LastPass, so you can use complex passwords without having to remember them.

For more detail on our security policy, please click here. 

If you have any other security questions or concerns, please contact us. 

Thanks for your interest in HRMI. You are also most welcome to follow us on Twitter, YouTube and Facebook, and sign up to receive occasional newsletters here