Executive Summary

In politically closed environments such as Belarus, leveraging technology to organize a base of support to advocate democratic change or to effectively mobilize supporters to take advantage of organizing opportunities offered by elections, even rigged elections, can be a challenge.

Voter files are often non­existent or inaccessible to opposition political forces. Maintaining secured records of supporter contact information is exceedingly difficult. Telecommunication firms who are closely aligned with the authoritarian regime may disable access to critical communication technologies, such as Gmail, Facebook, or Youtube, and have been known to monitor or disable certain telephone numbers and filter SMS. Collecting, securing and using supporter data is further complicated by the security services of restrictive governments, such as the Belarusian KGB, who routinely confiscate equipment, infiltrate democratic networks and detain activists.

The National Democratic Institute (NDI), a Washington­-based democracy support organization that works in more than 70 countries around the world, recently completed a program to help pro­-democratic political forces working to engage citizens and organize public support for democratic change to more effectively manage supporter data during and after electoral campaigns.

These democratic political forces sought to utilize technologies that political parties and movements in more open countries regularly use to organize members and potential supporters and to ensure national and local data can be shared and utilized by all levels of an organization. Through the use of technology, we saw an opportunity to help these democratic political forces utilize their resources more efficiently as well as assist them in increasing their outreach to supporters without endangering these same supporters.

In short, NDI sought to address the needs of our democratic partners by developing a secure and usable online voter management system. The development of the system incorporated two distinct but related approaches: 1. Data security via Tails (The Amnesiac Incognito Live System), a Linux-­based, live­-boot operating system that can be used on any Windows­-based computer to complete obscure the user’s activity (Tails is a portable operating system with all the security bells and whistles a user in a closed environment might need already installed on it, without having to manage or install security applications); 2. and a data management system; in this case a Drupal­-based open source member management database called CiviCRM;

Context

Belarus has not had a free or fair election since 1994, when Alexander Lukashenko was first elected to the Presidency and shortly thereafter began to systematically eliminate his competition, dismantle democratic political forces and reinstated a Soviet style authoritarian state often referred to as the “last dictatorship in Europe.”

Prior to the December 19, 2010 presidential election, Belarus experienced a brief period of psuedo-­liberalization stemming from the regime’s need to build better relations with western democracies and improve negotiating leverage with Russia. Compared to the 2001 and 2006 presidential elections, the candidates were given more freedom to meet with voters and disseminate their campaign materials. Lukashenko even took the unprecedented step of allowing nearly all opposition candidates to register and even debate each other on state­controlled media. Election day and its aftermath, however, demonstrated the shallowness of Lukashenko’s liberalization policy. The authorities violently dispersed tens of thousands of Belarusians who gathered on the main square in Minsk to protest fraud and vote rigging. Hundreds of political activists, journalists and civil society representatives were severely beaten and detained by the police, including seven of the opposition candidates who challenged Lukashenka in the election.

In the days and months following the election, Belarusian security services, led by the KGB, actively worked to disrupt and eliminate the capacity of democratic political forces, civic groups, independent media and individual democratic activists. To silence dissent and re­establish authority the KGB raiding the homes and offices of democratic organizations and activists. Over 600 persons were arrested, of whom 13 remain political prisoners until today, numerous computers and servers were seized costing political forces much of their organized database lists. Included in the seized items were much of the supporter lists of the democratic forces. Ultimately the goal of the crackdown on Dec 19th and the months following was to re­instill a sense of fear of politics and political action in society that was whittled down as an unintended consequence of the government’s psuedo-­liberalization policy.

The early summer of 2011 was marked by a number of protests by workers and drivers that were focused on the economy, and by a wave of “silent protests” that were organized primarily by youth activists through online social media. These were the first actions following the Dec 19th crackdown and the first efforts of the society to push back against the culture of fear imposed by the government. In response to the “silent protests,” authorities arrested hundreds of protesters and threatened activists with expulsion from universities or loss of employment. The authorities also increased their online anti­-activism efforts by disseminating propaganda via Twitter and Vkontakte (the Russian social network that is similar in functionality to Facebook), and by conducting targeted digital attacks against the websites and accounts of pro­democracy organization. With activists harassed, equipment confiscated, and leaders awaiting their fates in jail, parties and NGOs are struggling to regain the momentum built up prior to presidential elections.

Over half a dozen of the democratic political forces working with NDI recognized the need to regain their lost footing and to re­establish a meaningful dialogue with citizens. They turned to local grassroots action and participation in elections as a mechanisms to communicate with citizens and build long term support for democratic change. While elections in Belarus are not competitive nor legitimate they provide political forces with a legal opportunity to engage the public and build support. To make the most of the political opportunities presented through elections and grassroots action NDI’s democratic partners sought to embrace technologies (already used by political parties and organizations in other countries) to maximize their potential and efficiently build and sustain support networks.

TAILS: A Secure, Bootable Operating System

One of the major challenges facing the partners in their ability to securely access any collected data. Housing the extensive set of data on supporters that partners had collected inside of Belarus was not feasible ­ a high risk of office raids and confiscation would have put the democratic partners and their supporters at risk. However, accessing this information on a web-based system was that their own computers and internet access could not be trusted.

According to the Opennet Initiative, while Belarus does not have the same capabilities as Russian authorities to conduct wide-­scale monitoring of internet use, it is widely believed that “Belarusian and Russian special services cooperate in this sphere. More than 70 percent of Belarusian Internet traffic goes through Russia, and part of it is processed through the Russian system SORM­2. Nonetheless, some providers confirm that the authorities have unofficially requested that all user IDs be kept for a few months and be turned over to the security services on demand.”

In addition, the majority of participants in this project reported that the operating systems on their personal computers were infected with malware, and that they suspected that email and chat conversations taking place on these machines were being tracked and provided to the authorities without their knowledge. Thus, these individuals needed to utilize a secured operating system that would not leave traces of their data on the machine, and that would increase the likelihood that information sent over an internet connection would evade any filtering or monitoring techniques.

To accomplish this task, NDI trained partners on the use of TAILS, a Linux-­based operating system that routes all internet traffic through the Tor network and expunges all user-­added data upon system shutdown. One of the limitations to TAILS is that it relies on a legacy BIOS framework to boot on computers, so a few participants were unable to successfully boot the system on their newer machines. Despite this challenge, TAILS ensured that the using participants were practicing good digital security habits (securely delete sensitive files, visiting websites through an SSL connection, and connect to the internet through an anonymizing proxy over an untrusted network, etc.) because these habits were inherent in the design of TAILS, instead of relying on participants remembering to do so in the stressful and hectic political environment like Belarus.

CiviCRM

The partners in Belarus used varied methods at the national and local level to store and categorize the collected data they received from their supporters such as paper note pads, cell phone lists, Excel spreadsheets and Access databases, stored on servers both inside and outside of the country. A major problem was that data was often either too centralized at the national level and inaccessible to regional activists who needed it or so fragmented at the local level that it could not be linked into part of a nation wide supporter and voter outreach effort. A major goal of the NDI developed data management system was to create an effective national level data management system that was accessible and user friendly for regional democratic activists. NDI developed a customized constituent relations system (CRM) database based from the open ­source system CiviCRM. Each organization had their own CiviCRM instance, developed to meet the unique needs and feedback received from each partner, which was then sub­divided by divisions within the party, with each lower-­level organizer only able to view and modify information for their region. In addition, there are a number of different roles within the system, with some groups able to do only data entry, others with access to data for viewing, and a few with access to view and update all records in their particular geographic zone. The purpose of the use of fine­-grained roles is to ensure that if any specific accounts became compromised, an attacker would only be able to see a portion of information within the database rather than all stored content.

With use of CiviCRM, the participating organizations were able to: define the criteria of data which they wanted to keep, and have these definitions inform their data hygiene as well as their data collection procedures going forward. This systematized way of collecting data improved coordination among the central office and organization branches, resulting in more impactful outreach to supporters. One obstacle that emerged through implementation of this system was complete localization. While all organization members were fluent in Russian, it was acknowledged that some of the nationally oriented Belarusian opposition groups, particularly some of the younger activists, would have preferred for political and cultural reasons to utilize a system in Belarusian. Ultimately due to financial and time constraints it was not possible to fully translate the system into Belarusian though the system did incorporate spelling for cities, streets and surnames in both Belarusian and Russian.

Outcomes and Conclusion

The participating organizations in this project have largely seen the value of more effective data management. Creating a detailed record of supporters (due to the absence of voter files) will greatly improve upon their ability to conduct outreach. In the months since the launch of the data system, eight political forces have uploaded over 113,220 contacts into the system. During the parliamentary elections of 2012 at least one candidate team began utilizing the system recording the voters they contacted and uploading 3,000 new supporters to the system. Belarusian political forces have utilized database also to re­engage their supporters after the elections: 7,700 letters were sent in Minsk, Bobruisk and Brest cities of Belarus.

Political forces have trained regional teams to utilize the data and they are now incorporating the system into voter outreach plans for both issue advocacy efforts and preparations for the 2014 local elections and 2015 presidential elections. Using a secure access tool like TAILS will help to keep the organization’s data safe and help thwart any efforts to monitor and track the political activities of these groups. Despite efforts by a repressive regime like that in Belarus to diminish the campaigning and outreach efforts of political and social movements, with a combination of secure access and data management technologies, these movements can continue to thrive.

Your mobile phone keeps track of all the activity done on the mobile network: from placing or receiving a call, to sending a message, browsing the web, or just being connected and ready to receive communication.

Despite its incredible convenience and usefulness, your mobile phone may reveal information about you and your physical location. This is especially problematic if you are worried about your physical location being discovered by unwelcome entities.

How Do They Know It’s Me?

The mobile network operator requires particular pieces of data to maintain the connectivity of your device as well as bill you for your services. These include:

IMEI: a unique identifier number tied with the specific mobile phone device connected to the network, almost like a serial number for the specific phone.

IMSI: a unique identifier for a user of a mobile network. The IMSI is stored in the SIM card for those phones using GSM networks, and within the phone or the R-UIM card for phones using CDMA networks. The IMSI is shown on any mobile network that can connect with other networks. Thus, if you are roaming between GSM networks to a CDMA network (or vice versa), your IMSI will still appear on these different (but interconnected) networks.

In addition, when purchasing a SIM card or a mobile phone, you may have to provide additional personal information. In many countries, you may not be able to get a device and service plan without a credit card, or even buy a SIM card without presenting your ID, home address, etc.

When placing a call or sending a text message, both the IMEI and IMSI are detectable on the mobile network. When reaching out via mobile phone to a contact that is highly monitored (or if you as a journalist are under surveillance), this data can be retrieved and potentially used against you, either through legal mechanisms, intelligence or government requests for data, or extra-legal mechanisms (use of IMSI catchers, corrupt employees, etc.).

Coupled with these pieces of data, the actual physical location of you and your device can be discovered as well.

Where you’re at: There are several ways in which your phone can give away your physical location:

Cellular Network: Your mobile phone, when it is on, is constantly communicating to the nearest mobile network operator (MNO) towers. This process ensures that calls can be received, text messages sent, etc. This constant “pinging” to the nearest towers can triangulate your location, by estimating where you are based on the overlap of these towers’ reach. This can be seen by the MNO, and anyone with access to the MNO’s records.

GPS: Most smartphones come equipped with GPS functionality, to enhance the efficacy of any applications needing location-based data (maps, social media apps, etc.).

Internet (and provider): Phones connected to the internet are assigned a temporary IP address, which allows any website you visit to estimate your location based on your IP address. In fact, mobile providers keep a record of what phones were assigned which temporary IP addresses. If a mobile provider cooperates with a website, they can match an IP address with a mobile phone’s location using archived mobile network locations or GPS coordinates.

I want you to know where I’m at: Depending on the type of story you’re covering and the risks you may encounter, it’s quite powerful to use this revealed data about you and your geolocation to your advantage. Your device’s location tracking can be used as a record of your various locations for a given time. If you or a fellow journalist fails to check in or goes missing, the network operator and smartphone-specific applications can determine where the device is located.

Don’t Follow Me

If any of these facts raise concerns, and you must use a mobile phone for your work, here are some basic steps you can take to mitigate this leaked information:

Get a second phone and/or SIM card: to have a device and SIM card with as little traceability to you. Also known as a “burner phone,” the aim of these is to use these for short-term use. Good examples of these include buying a prepaid mobile phone in cash.

• Make sure to keep this phone physically separate from your normal phones or locations.
• When not in use, keep the battery removed (explained below) and turned off. Only turn the phone back on when you are away from your home or place of business.
• Don’t swap out the SIM card into your other phones: The IMSI number will then be paired and associated with your non-sensitive devices. It’s better to get a new burner phone, as the IMEI can still be traced to your previous activities on a different SIM card.

To turn the phone “off” completely, remove the battery: If someone has “tapped” into your mobile phone, it is possible for them to turn your phone back on, even without you physically pressing the “on” or power button.

• If you suspect this is happening, an indicator of this can be significantly reduced battery life when on for a short period of time.
• If you need to use your phone at a particular location, you can turn the phone off and remove the battery before you leave, then return the battery and turn it on after you arrive to obfuscate your travel path.
• Leave sensitive locations before putting the battery in and turning on your phone, and then turn the phone on later in a different location.
• Take the phone “for a walk”: give your phone to someone you trust who can to a different location where you will not be.

Disable GPS and location services: These features are available under the settings within your phone.

• Note: there may be multiple options for disabling location services. You should deselect all of them

The recent announcement of a Belarusian law on aspects of Internet regulation certainly raised a number of alarm bells for many groups seeking to protect free expression online. Certainly, Belarus is no stranger to internet repression, ranging from pro-democracy websites repeatedly under attack,tracking down and arresting activists, and many other insidious acts. Given the extensive and differing coverage of the law in the press, here is a summary of what is expected to take place with this law.

In order to implement the norms stipulated by Decree of the Council of Ministers on February 1, 2010, No. 60 (which states that any entity in Belarus selling goods or services to Belarus citizens on the web must use the .by Belarusian domain name), Belarusian authorities have implemented Law No. 317-3. Fines for breaking the law range as high as 1m Belarus rubles (£77; $120).

The impact of this law has been widely debated on its true intentions. The official news agency states that the law’s intention is “to create favorable conditions for Belarusian economic entities, to enable transparent online shopping, to protect interests of Belarusian internet users regarding the information, which distribution is legally prohibited (slave trade, pornography, propaganda of violence, cruelty and so on), to create conditions to protect honor and dignity”. Currently, many Belarus-based companies rent hosting services from Internet service providers in Russia to save money. With the new law, the government hopes to curb this practice and create better controls for collecting tax revenue from e-commerce services. These views are quick to point out that this regulation does not “cut off access to the global internet”, as some news reports have indicated, and are merely an administrative provision to lay out procedures for punishment that were absent in the 2010 decree.

However, there are a number of features of this law, as well as the 2010 decree, that raise concern. To start, entities that offer internet services to the public (internet cafes, computer clubs, etc.) are obliged to “record and store… personal data of Internet services users and information about the Internet services that have been provided,” according to state press outlet Belta. In fact, in his report to the OSCE, Andrei Richter points out that there are many areas of particular concern, including but not limited to: vaguely defined restrictions and prohibitions on spreading illegal information, unclear role of intermediaries to remove identified violations, and many others. In addition, the involvement of a number of control agencies including “organs of internal affairs, taxation, public security organs of State Control Committee of Belarus” demonstrate the increased capacity of the government to gain control in handling “violations”.

While there is not a looming threat to cut off access to the “foreign internet” in Belarus, this law’s ambiguities, its intentions to gain more control of the internet, and the precedence set by Belarusian authorities to violate internet users’ rights do cause concern. Many countries with a track record of ignoring the rights of its citizenry often create confusing and ambiguous laws to ensure their future manipulation to target critics of the regime. The NDItech team will continue to keep a watchful eye on the implementation of this law as well as any other suspicious legal framework that emerge in other countries.

Originally posted on Demworks.org

This year has certainly been a roller coaster for the role of the internet in global society. While there have been many advances in protections for the rights of users, unfortunately, there have also been massive steps backwardin this arena. Recently, the Diplo Foundation hosted a webinar with Jovan Kurbalija (who literally wrote the book on Internet governance) about the 10 biggest developments in IG in 2011. After participating in the webinar, I began to reflect on these developments have been tied to NDI’s work. The full list of developments are available here, and below is a sample of how NDI has contributed to and tracked these developments:

The Internet gets highly political: power of ICTs to push for political change. As stated in the webinar, “social media is now perceived as a decisive tool in modern political life”. NDI will continue to work with local partners over the coming years to adapt and evolve innovative approaches to using ICTs in the political landscape to ensure transparency, accountability, and other features of democratic processes.

A shift in Internet governance direction, from technology to political ministries: Kurbalija identified that “previous vague national Internet governance approaches have started to crystallize”. NDI has been following how the European Parliament, the US, and other countries are formulating citizen-centered approaches to tech regulation. Next year I hope to see these actions progress, with informed decision-making by policy makers and input provided by citizens, business and academics committed to the protection of an open Internet.

Online human rights come into focus: With a diverse set of digital threats facing Internet users, some governments have responded by imposing multi-faceted technical and legal means to “curb” these threats, which instead result in self-censorship among internet users. In addition, many organizations are often unaware about how to best mitigate these threats, and as a result open adopt incomplete strategies that do not address all vulnerabilities. Here at NDI, we seek to know what the full picture of threats are to ourselves and our partners, as well as continually expand the security resources available to our colleagues in this field.

In 2012, I personally hope to see continuation in how multiple stakeholders protect the open Internet, whether it be from propagation of technologies that do more harm than good or ill-designed legislation that does not address the needs of Internet users.

Originally published by Demworks.org

Restriction of open dialogue can take a variety of forms. Systematic and pervasive technical means to block keywords, denial-of-service attacks against websites, and overcrowding discussion platforms in order to drown out dissenting points-of-view are just a few popular methods used around the world. However, many regimes do not have the resources to conduct these widespread and labor-intensive means to enforce people to fall in line with government rhetoric. Therefore, it becomes imperative to create regulatory framework which ensures punishment to those who “cause national panic,” “offend the public,” or other ambiguous jargon to quash “undesirable” discourse. Undesirable, that is, to the regime in power.

The Thai Computer Crimes Act is one such law, where content regulation issues are combined with cybercrimes like hacking and email phishing under vaguely defined terms. One of the most startling features of this law is that internet intermediaries, under Articles 14 and 15, are held just as accountable for the actions of other users to disseminate content “that can cause damage to the third party or public.”

Since the law’s inception, the number of legal cases initiated against internet users has skyrocketed. It is worth noting that the vast majority of these charges overlap with pre-existing legal codes in Thailand used to quell independent political discourse. The most infamous example of this is the lèse majesté law, which makes defamation and insult of “the King, Queen, the Heir-apparent or the Regent” a punishable offense. Predictably, this law fails to define what constitutes “defamation” or “insult,” and the responsibility to charge someone of violating lèse majesté is on the state or the public, allowing anyone to take action against anyone else.

The Thai Computer Crimes Act and lèse majesté have come under strong criticism for their infringement on rights to free expression by Committee to Protect Journalists, Freedom House, and Reporters without Borders. In recent years, there has been no shortage of individuals who have been persecuted for violation of Thai Computer Crimes Act and lèse majesté.

One case that has garnered much attention is that of Chiranuch Premchaiporn (Jiew), the executive director of the online newspaper Prachatai. Jiew is being held liable under the Thai Computer Crimes Act for comments, posted anonymously on the site by readers, in violation of lèse majesté. While her trial is still ongoing, supporters of internet freedom have rallied to her defense and demanded reform. Local groups such as the Thai Netizen Network and My Computer Law have even proposed specific amendments to the Thai Computer Crimes Act to eradicate persecution of journalists and other free speech advocates.

Fear of accusation of violating these acts, which certainly leads to extensive self-censorship among Thai internet users, proves to be an effective technique for a repressive regime to silence dissidence. Sadly, this also proves that countries do not have to employ sophisticated technical means to suppress internet freedom.

Originally published on Demworks.org

The Mapping Local Internet Control project launched last week by the Berkman Center for Internet & Society illustrates the ability of Internet users within a particular country to access the global Internet through their Internet Service Providers (ISPs) or other Autonomous Systems used to route web traffic. One of the key findings of this project is that approximately 96% of all web traffic in China is routed to websites hosted within China. So why is this significant?

This mapping is able to demonstrate one of several means that Chinese authorities use to restrict content online – through centralizing Chinese web traffic to 4 points of control (ways to access the Internet), Chinese authorities can more readily curtail access to any content deemed objectionable.

Visualization of how this control takes place in China is even more striking when compared to other countries guilty of censoring independent content online, such as Iran and Russia. This visualization on the nature of accessibility in China is especially valuable, given the more limited information available on mapping online discourse in Chinese when compared to research on the Arabic, Persian, and Russian blogospheres.

However, as Hal Roberts addresses in his blog entry on the report, there are certainly other factors that could contribute to this phenomenon of funneled Chinese web traffic. He states, “The extremely high proportion local web traffic in China may be the result of the success of the Chinese government in blocking the international sites, like Facebook, YouTube, and Blogger, that are generally the biggest destination in other countries. Or it might be because Chinese people like to read content written in Chinese by other Chinese about Chinese topics run by Chinese people. It is likely some combination of the two factors.” This combination that Roberts highlights has certainly gained attention in other areas over the years: the dominance of China’s Baidu search engineover global counterparts in the Chinese market, as well as the array of localized social networking tools for Chinese Internet users that offer similar functionality to their international equivalents. Another symptom of this control is the creation of vocabularydesigned to evade keyword filtering while criticizing the Chinese regime.

It is important to point out that the routing of web traffic through a limited number of access points is only one example of curbing online discourse within a country’s borders. Sadly, use of physical intimidation, financial pressure, and abuse of rule of law are increasingly commonplace to quell Internet activism in repressive environments like China. Even Roberts notes this trend, stating, “There is no need to launch a DDoS attack against a dissident site that is hosted within the offended country when agents of the offended country can simply knock on the door of … the individual activist publishing the content…”

While the cat-and-mouse game of Internet censorship continues in several countries, projects such as Mapping Local Internet Control, which illustrate the extent of techniques for censorship and surveillance of Internet users, illuminate the opaque efforts to control web traffic within a country’s borders as well as enable activists to strategize ways to counteract these methods of control.

Originally published on Demworks.org