Message-ID: <146691939.1614.1556112048109.JavaMail.javamailuser@localhost> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1613_830662098.1556112048108" ------=_Part_1613_830662098.1556112048108 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html Uchaguzi Privacy and Security Guidelines

Uchaguzi Privacy and Security Guidelines

Privacy and Security Guidelines

The privacy and security of the public, our partners, and our team membe= rs is of the utmost importance to the Uchaguzi team and to Ushahidi.

As such, we have developed these guidelines for our core team to include= as part of the training of all volunteers, across all levels and responsib= ilities. This page is an introduction to our security goals, recommendation= s, and general requirements for all volunteers. More explicit instructions = on submitting, managing, and publishing data from the public and our partne= rs are included elsewhere on the wiki (links forthcoming).=

Uchaguzi Access and Training for All Team Members

We are asking all reporters and Partners to review and agree to our Code of Conduct (or, lig= htly put, Code of Collaboration) before engaging with the platform and the = project.

In addition, each team member working with data submitted to the Uchaguz= i platform requires training and scheduled times for their assigned tasks. = According to their assigned tasks, each member will have a set access level= . Heather Leson and Angela Odour from Ushahidi are managing these access le= vels.

While anyone can create an account to have a "member" status, = they will only be able to view their reports submitted. All other Uchaguzi = access tiered will have various levels of permissions pertinent to their as= signed tasks. Only the Superadmins, Admins, Verification, and Reports team = members will have the right to approve reports that can be viewed by the pu= blic at https://uchaguzi.co.ke.

Guidelines for reviews, admins, repor= ters when securing their own browser

    =09
  1. Remain logged out as much as possible =09
      =09=09
    1. Only login when you are actively reviewing reports
    2. =09=09
    3. Avoid doing other tasks while reviewing reports
    4. =09=09
    5. This reduces risk of various hijacking attacks
    6. =09=09
    7. Always log out when you're done. Don't leave your computer logged= in and unattended
    8. =09
    =09
  2. =09
  3. Check the URL: =09
      =09=09
    1. It should be: https://uchaguzi.co.ke
    2. =09=09
    3. Is the certificate valid? You shouldn't receive browser warnings = and you should see a green padlock next to the URL.
    4. =09
    =09
  4. =09
  5. Use a secure password? How to create secure passwo= rds
  6. =09
  7. Avoid logging in to the site from public or untrusted connections =09
  8. Avoid keeping copies of sensitive info. For example: don't edit repo= rts in a word doc.
  9. =09
  10. Install NoScript for Firefox = or = NotScripts for Chrome =09
      =09=09
    1. Detailed guide to Firefox security addons
    2. =09
    =09
  11. =09
  12. If possible: use Tor when accessing the Uchaguz= i admin

Our Submission, Review, and Verification Process

Questions to consider when posting (reviewi= ng) a report to Uchaguzi

    =09
  1. What private information is in the message? Should it be included or= excluded?
  2. =09
  3. Will publishing this report endanger the reporter? =09
      =09=09
    1. Will the reporter be safer if I delay publication? (to avoid clea= rly and immediately identifying a victim)
    2. =09
    =09
  4. =09
  5. Is the report urgent or an emergency? =09
      =09=09
    1. Have I contacted the emergency desk of my team lead?
    2. =09=09
    3. Should the item be posted or removed?
    4. =09=09
    5. Should certain partners also be contacted?
    6. =09
    =09
  6. =09
  7. Am I working in a secure location? Is my password ok? How to create secure passwords
  8. =09
  9. Are there any URLs in the report? Are these reports suspicious? Shou= ld they be removed?
  10. =09
  11. Is there any code / HTML in the report? This should be removed.
  12. =09
  13. ....

Additio= nal Resources

Tips from the Uchaguzi 2010 Case Study

on Security & Privacy:
"The ability to create questionnaires gets people to start thinkin= g about the security that I think needs to be a standard set of questions t= hat people ask for in any installation at all. While the issues of informat= ion security, privacy and the possibility of retribution for sharing inform= ation was not a major issue in the Uchaguzi=E2=80=90 Kenya project; it may = play a very large role in other election monitoring projects that use Ushah= idi or Crowdmap. Risks to people systems and organizations are constantly e= volving approaches to security privacy will need to be regularly evaluated.= "

A security and privacy review should begin with:

Materials

We also recommend that you review George Chamales' Security Webinar:

=20 ------=_Part_1613_830662098.1556112048108--