Message-ID: <146691939.1614.1556112048109.JavaMail.javamailuser@localhost>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_1613_830662098.1556112048108"
------=_Part_1613_830662098.1556112048108
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Uchaguzi Privacy and Security Guidelines
Uchaguzi Privacy and Security Guidelines
Privacy and Security Guidelines
The privacy and security of the public, our partners, and our team membe=
rs is of the utmost importance to the Uchaguzi team and to Ushahidi.
As such, we have developed these guidelines for our core team to include=
as part of the training of all volunteers, across all levels and responsib=
ilities. This page is an introduction to our security goals, recommendation=
s, and general requirements for all volunteers. More explicit instructions =
on submitting, managing, and publishing data from the public and our partne=
rs are included elsewhere on the wiki (links forthcoming).=
Uchaguzi Access and Training for All Team Members
We are asking all reporters and Partners to review and agree to our Code of Conduct (or, lig=
htly put, Code of Collaboration) before engaging with the platform and the =
project.
In addition, each team member working with data submitted to the Uchaguz=
i platform requires training and scheduled times for their assigned tasks. =
According to their assigned tasks, each member will have a set access level=
. Heather Leson and Angela Odour from Ushahidi are managing these access le=
vels.
While anyone can create an account to have a "member" status, =
they will only be able to view their reports submitted. All other Uchaguzi =
access tiered will have various levels of permissions pertinent to their as=
signed tasks. Only the Superadmins, Admins, Verification, and Reports team =
members will have the right to approve reports that can be viewed by the pu=
blic at https://uchaguzi.co.ke.
Guidelines for reviews, admins, repor=
ters when securing their own browser
=09- Remain logged out as much as possible
=09
=09=09- Only login when you are actively reviewing reports
=09=09- Avoid doing other tasks while reviewing reports
=09=09- This reduces risk of various hijacking attacks
=09=09- Always log out when you're done. Don't leave your computer logged=
in and unattended
=09
=09
=09- Check the URL:
=09
=09=09- It should be: https://uchaguzi.co.ke
=09=09- Is the certificate valid? You shouldn't receive browser warnings =
and you should see a green padlock next to the URL.
=09
=09
=09- Use a secure password? How to create secure passwo=
rds
=09- Avoid logging in to the site from public or untrusted connections
=09
- Avoid keeping copies of sensitive info. For example: don't edit repo=
rts in a word doc.
=09- Install NoScript for Firefox =
or =
NotScripts for Chrome
=09
=09=09- Detailed guide to Firefox security addons
=09
=09
=09- If possible: use Tor when accessing the Uchaguz=
i admin
Our Submission, Review, and Verification Process
Questions to consider when posting (reviewi=
ng) a report to Uchaguzi
=09- What private information is in the message? Should it be included or=
excluded?
=09- Will publishing this report endanger the reporter?
=09
=09=09- Will the reporter be safer if I delay publication? (to avoid clea=
rly and immediately identifying a victim)
=09
=09
=09- Is the report urgent or an emergency?
=09
=09=09- Have I contacted the emergency desk of my team lead?
=09=09- Should the item be posted or removed?
=09=09- Should certain partners also be contacted?
=09
=09
=09- Am I working in a secure location? Is my password ok? How to create secure passwords
=09- Are there any URLs in the report? Are these reports suspicious? Shou=
ld they be removed?
=09- Is there any code / HTML in the report? This should be removed.
=09- ....
Additio=
nal Resources
Tips from the Uchaguzi 2010 Case Study
on Security & Privacy:
"The ability to create questionnaires gets people to start thinkin=
g about the security that I think needs to be a standard set of questions t=
hat people ask for in any installation at all. While the issues of informat=
ion security, privacy and the possibility of retribution for sharing inform=
ation was not a major issue in the Uchaguzi=E2=80=90 Kenya project; it may =
play a very large role in other election monitoring projects that use Ushah=
idi or Crowdmap. Risks to people systems and organizations are constantly e=
volving approaches to security privacy will need to be regularly evaluated.=
"
A security and privacy review should begin with:
=09- A discussion of potential risks to the crowd and organizations i=
f they use the platform
=09- Plans on how to keep technology hardware (e.g., servers) safe an=
d secure
=09- Plans for how volunteers and others should be trained to keep in=
formation private and secure, if necessary
=09- A contingency plan for security and privacy related events.=
Materials
=09- Security FAQ
=09- Security Research
=09
- Security in a Box (Tactical Tech)
=09- =E2=80=9CSecuring Crisis Maps=E2=80=9D, written by Rob Baker and Geo=
rge Chamales is a helpful infographic that shows different areas of informa=
tion, security and privacy risks.
=09- =E2=80=9CCrisis Mapping and Cybersecurity=E2=80=9D by Anahi Ayala Ia=
cucci describes one approach to addressing these issues
=09- Questions from Toolbox 1, Slide 16 =E2=80=9CICT, Privacy & Secur=
ity=E2=80=9D can also be used as a guide to think about these issues in ele=
ction monitoring projects.CrisisMapping and CyberSecurity - Pa=
rt III (Security is Knowledge) * - article by Anahi Ayala Iaccuci
We also recommend that you review George Chamales' Security Webinar:
=20
------=_Part_1613_830662098.1556112048108--