To strengthen digital security for human rights defenders, behavior matters

Most conversation about digital security for human rights defenders (HRDs) tends to focus on privacy and data protection. This is necessary, but what good is a strong passphrase or Virtual Private Network (VPN) when you are at risk of enforced disappearance and torture by the police? In such situations, even the most seasoned HRD is likely to give up access. A strong digital security strategy adds to protection from physical threats, but for many HRDs operating in hostile environments such threats are sadly inescapable and protection strategies need to be more practical.

The typical emphasis on privacy and data protection means that conventional digital security thinking often stresses technical advice for communication security to prevent detection and HRD detention.

The typical emphasis on privacy and data protection means that conventional digital security thinking often stresses technical advice for communication security to prevent detection and HRD detention. But technical tools only extend so far after an HRD is detained or subjected to torture by police intent on gaining access. I know very tech savvy HRDs who have quickly given over their passphrases at the threat of torture. No one can judge them. In such horrific, and sadly common, scenarios, a more holistic approach to digital security is needed.


Max Pixel/Some rights reserved

Through ongoing support for local initiatives that take a practical approach to digital security, the hope is that more secure behavior will develop in tandem with technology for the authentic holistic security of HRDs in hostile environments.


The United Nations Special Rapporteur on the situation of human rights defenders, Michel Forst, addressed these multiple insecurities in a February 2016 report, calling for HRDs to foster a culture of ‘holistic security’ that interlinks physical security with digital security and psychosocial well-being. The notion of ‘holistic security’ has been gaining traction in HRD protection frameworks since before 2016 but often in otherwise compartmentalized ways.

On the ground, however, this often means transplanting digital security tools from one context into another alongside other physical or psychosocial strategies, and thinking less holistically about the physical and psychosocial realities of digital security.

This problem is crucial for HRDs operating within authoritarian regimes and shrinking civic spaces, where absent the rule of law there are no such legal protections as habeas corpus, the right to counsel, or freedom from torture. And, as Zara Rahman recently articulated, “technologies are sometimes mentioned or adopted not because they are the most strategic or necessarily useful tools for the job,” but due to uninformed pressure.

Take the most common technical advice offered for enhancing digital security: encryption. Most digital security literature recommends, among others, encryption tools like Protonmail, Signal Messenger, or Vera Crypt. Such tools are necessary but insufficient. Yes, encryption done right ensures that only the intended parties have access, protecting data from third-party monitoring, except the most sophisticated and time-intensive intrusion efforts. But this only offers short-term security in authoritarian regimes.

For several years, I have been working with rights defenders in China, and elsewhere, to develop practical approaches to various protection challenges, including digital security. The project I’m part of is based on the active participation of local feedback groups among the target beneficiaries, and is ongoing with support from Reporters Without Borders and others. Initial conclusions of this project arguably offer transferrable value for HRDs in other repressive environments.

After considerable reflection, my collaborators and I have found that more attention to behavior is critical in providing digital security for HRDs in hostile environments. This means addressing how HRDs relate to and act with the digital security tools they choose to use, how HRDs understand local realities, and how HRDs are supported (or not) based on their specific contexts and threats. This can be called localizing a behavioral approach to digital security.

Here are a few examples for securing behavior from our work so far.

For practical purposes, relying on secure communication tools is important under authoritarianism but, once in detention the concern is less about preventing access than limiting what is accessible. HRDs should adopt dedicated emails for work and maintain a Zero Inbox Policy—that is, always deleting content, either manually or through automatic destruction such as offered in Protonmail, or Signal and Telegram for chat-based communication. This should be standard HRD communication behavior.

Another, often-overlooked behavioral issue, is how HRDs delete sensitive information. Encrypting sensitive data from intrusion is meaningless if it is left easily accessible after deletion through file recovery programs. Several HRDs I spoke with recounted that during police interrogations they were questioned based on whole or partially recovered documents they had thought they had deleted. In short, the way we usually ‘delete’ something does not necessarily delete anything.

Ultimately, any approach to digital security must combine increasing security with a realistic understanding of what behavior is practical. For example, realistically, most people aren’t going to remember the login information to sign into every account they hold, including for shopping or friendly chatting. They would be happy for some passphrases or account details to be saved, and would quickly abandon a procedure that requires otherwise. As such, one of the most practical behavioral approaches is maintaining a dual browser strategy. HRDs should keep one browser, say Firefox, for all rights defense work. Here they use the relevant browser extensions and conventional best practices, with automatic erasure upon exit. On the other hand, they should keep a separate personal browser for entertainment, say Chrome or Opera, in which, for example, non-sensitive passwords can be saved for easy use.

The approach should also be local. This means language localization, as far too many technical tools remain available only with English language interfaces, but above all it means contextualization and regionalization. This is in line with a recent piece by Danna Ingleton, on the importance of recognizing agency and centralizing the experiences of HRDs in their own protection.

In this sense, developing practical digital security strategy requires extending a greater degree of agency to the HRDs who are most affected and who will most benefit. One way to achieve this is for donors to support the creation of local feedback groups, which has been the foundation of the project I have been involved with, whether to inform the creation of new versions of existing digital security guidebooks, identify the most practical behavior for how technology is used, or devise bottom up advise for institutional support.

Through ongoing support for local initiatives that take a practical approach to digital security, the hope is that more secure behavior will develop in tandem with technology for the authentic holistic security of HRDs in hostile environments.