Digital security for dangerous times

As civil society organizations face funding cuts, growing surveillance threats, and increasingly sophisticated digital attacks, Access Now’s Digital Security Helpline has become a critical support system for journalists, human rights defenders, activists, and vulnerable communities around the world. Newsjunkie’s Morgan Kriesel spoke with Mohammed Al-Maskati, director of the helpline, about what his team is seeing, how US funding cuts are affecting global digital security work, why AI poses ethical risks for sensitive cases, and what organizations can do now to better protect themselves.

“The only option for them was to contact the helpline… Sometimes people don’t have alternatives…”

Take us through a typical day of what you do at the helpline and what issues are coming up with the groups who contact you. What are they dealing with?

As a helpline, we are available 24/7. We have different types of teams supporting what we call shift incident response—the team that receives tickets.

Throughout that 24/7 period, we receive tickets from vulnerable groups, human rights defenders, journalists, and others. Some people ask for support because their account was hacked, or because someone was arrested and they need support securing their accounts.

We also work with very advanced digital needs, especially forensic work. We look into investigations like spyware attacks, malware, or phishing attacks targeting human rights defenders.

Another team in the helpline does security assessments and security awareness support.

I always say the helpline is like an octopus. It’s everywhere. There are a lot of hands working at the same time, providing as much support as we can. We also provide services like VPNs when needed, hosting when organizations lose hosting, and other services.

We try to do as much as we can with a holistic approach. There are a lot of needs. A lot of organizations don’t know how to reach us. And I think digital security has become a very important part of people’s lives.

Where are most of your tickets coming from?

Sometimes there is an election in a country and the government is shutting down the internet, or blocking platforms and not allowing people to access social media. So we help them get anti-censorship tools.

Sometimes there is a protest in a specific country where people need digital security advice, VPNs, or other support during that time.

When we look at conflicts and wars, we also see a lot of needs coming from countries where human rights defenders or journalists are under attack. So we provide support.

That is when our requests peak. We see really huge numbers of requests. We have reached 50,000 requests at one time.

The question is: Can we support all of these people? We cannot, as a helpline, because we try to vet all of these requests, especially when they are coming to us for the first time. We don’t know the people.

To protect our beneficiaries and protect our system, we need to know who these people are and whether they are real people. At the end of the day, Morgan, we cannot support just anyone, because some people definitely want to abuse our mechanism and our services to gain access to accounts that don’t belong to them or try to access information that is really risky.

Wow. The day there were 50,000 people contacting you, do you know what event that was connected to?

There were protests happening. I don’t want to share the country, but it happened in one country, and there was a really heavy internet shutdown happening there, along with censorship of social media.

It seemed like people organized themselves and started sharing, “Oh, this is the helpline. Contact them. They will help you.”

So we saw a campaign happening. It was not a bad-actor campaign. It was just people who didn’t have any other options. The only option for them was to contact the helpline. So they tried to build a draft message [template]: “This is what you say to the helpline. Please share it with the helpline so you can get help.”

Sometimes people don’t have alternatives, and we understand this. But we have limitations on whom we can support, when we can support them, and what we can support. Especially if you’re talking about an internet shutdown, we don’t have a lot of tools to bypass that. 

What do you do when you have so many people overwhelming the line like that?

There are different things we do. One is filtering, to try to support as many people as we can.

We also try to work with partners who have more regional understanding than us. We are a global organization. We understand as much as we can regionally, but there are definitely better people and help desks that understand specific regions better than we do. So we try to cooperate with regional help desks that have more information about specific protests or specific countries.

We also work with them on vetting. Sometimes we continue supporting people, but we don’t know them, so we need someone to do that vetting.

In the helpline, Morgan, we speak more than 10 languages. Still, there are a lot of languages we don’t speak, and we get requests in those languages.

We don’t use AI. We don’t take messages that come to us and use them outside the system to translate them into English because we want to protect the people contacting us. We don’t use any AI translations.

So we need to be sure that people understand what we say, and we understand what they say.

Usually, if we don’t speak that language, we ask, “Do you speak English? Do you speak another language that we can help you in?” Or sometimes we try to cooperate with a local or regional organization that speaks that language, and we refer the cases to them.

“…when US funding was cut… At least six help desks just disappeared.”

Are you the only global organization that has a helpline?

We are the only global organization with a helpline working 24/7, yes.

There are other organizations that do this. But one crisis that happened to our community, Morgan, is that when US funding was cut, a lot of organizations decided to lay off their staff because there was no funding.

At least six help desks just disappeared.

People from those help desks started communicating with us and saying, “Look, we don’t have money anymore, but we still have cases that need support from you. Can you please help us?”

And what we do is say, “Yeah, please send it to us. If it is included in our mandate, we are happy to continue providing support.”

Ever since US funding disappeared, we’ve been getting a massive number of requests. Before that, we had the ability to refer more cases to other organizations. When something didn’t fit for us, we could still refer it to another help desk or another partner.

That is not the case anymore because a lot of those partners have disappeared. A lot of organizations lost a lot of money, so they don’t have the capacity or the ability to take more cases.

How are you funded? Were you affected by US cuts?

We have a policy of not taking any US funding. But at the same time, we were affected indirectly.

All the organizations funding us—the list of funders—is online on Access Now’s site because we have transparency on that.

But when US funding left the community, there was a huge gap that other funders and organizations wanted to cover. You cannot just cover $2 billion in one year or less.

If an organization or funder gave us money—say $200,000—they might come to us and say, “Okay, this year we will give you only $100,000 because we need to give the other $100,000 to another organization.”

So we are not directly affected by US funding, but we are affected indirectly because funders and other organizations are reducing funding to us because they need to cover funding for other organizations that already lost millions in their budgets.

It’s like you take $2 billion directly from a community, and then you tell the community, “Please solve this problem.”

You cannot. Two billion is not a small number, Morgan. There were hundreds of thousands of people working in these organizations, and they had to leave their communities. Every day, we get information that this person left an organization, or that person left an organization, because there is no funding. There are very amazing, talented people in the community now without jobs.

And the problem is, the organizations are still running. They don’t have the budget to do new hiring. Including Access Now, we had to freeze new hiring because we want to be sure that strategically we are doing well on the budget side and supporting the team already inside the organization.

“We lost massive research that could have [provided] a lot of hope in many places. In human rights, and digital security, and psychiatric support—everywhere…”

I’ve been talking to a lot of ex-federal scientists who no longer have their jobs—amazing people who have dedicated their career to public service and research. But I've been very focused on the US this whole time, so it's sobering to hear that has not been contained to the US. That very talented people doing great work have been pushed out of their jobs across the world, because of the US administration. That's important to know, and something that I think gets ignored a lot in the coverage that I've been seeing.

We lost a lot of research, not only in the US, in the whole world. We lost massive research that could have [provided] a lot of hope in many places. In human rights, and digital security, and psychiatric support—everywhere—we lost a lot of ability to do research that can [lead to] change in the future.

I know at least two or three researchers, who were working on amazing research that could have helped humanity, all the world. But they don't have the funding to travel, they don't have the funding to continue this research, now the research is on hold. The question is, how will that impact us in the long run?

After three or four years, when these people who do research cannot come back to the community, they cannot come back to the human rights field or the humanity fields, then they decide to go more to the business side—we actually lost these people. Because they will say the private side has better conditions, better salaries, it’s more stable than our community. “Why do I need to go back? I will get fired again.”

So we need to think about all of this, and the impact we will not see yet. I think you will see it in three, four years when we find we don't have all of these good people with us.

Yeah, I think you're right. The impact on research, especially, is going to be years down the line.

It's hard to ask for attention on that sometimes. Because there's other things that are impacted immediately, like all of the USAID global health programs that have been cut. That has immediate, devastating impacts. But the research—the positive things we’ve killed in the cradle—is also devastating.

“…we are at the stage where we need to invest more in humans, not technology.”

I want to show you the other side of that: When funding was cut, most organizations first reduced costs. Reducing costs meant laying off non-programmatic people in those organizations. That means IT people or security department people, and canceling a lot of services.

When we looked at what that means for security, for digital security, it means there is no one who can protect the staff from digital attacks, because that person is no longer in the organization.

Secondly, a lot of organizations lost services like email security, VPNs, and hosting. All of these services, organizations cannot pay for after the cuts. That’s why when I came to the situation, I said, “Let’s work on getting services.”

We started providing VPNs a year ago, but now we are also providing hosting, anti-malware, and other services, because we found out that these organizations needed support. They're already under attack, and we created another phase of attack by taking all the services from them, and good people from them. This will actually increase the possibility of being targeted by state actors, or non-state actors.

So you are acting as an IT department now for all of these groups that have had to cut theirs?

We are trying not to be, to be honest, Morgan. Because if we worked as an IT department for everyone—can you imagine? I think I would need at least 3,000 or 4,000 people on my team. My team is only 25 people. And 25 people focused on global needs is a really small number of people. If we want to help thousands of organizations, then I need at least 3,000 people on my team to do that work.

There are big challenges here, Morgan. Information security and cybersecurity are the most expensive fields in the whole world. The biggest challenge is finding good people who want to work with NGOs and don’t want to go work with big companies.

We cannot compete with a big company’s salary. I cannot give you hundreds of thousands of dollars like a private company will. With your expertise, knowledge, and skills, it will be easy for you to go to a big security company and get paid well, with good conditions, premium health insurance, and benefits.

Over the last few months, I have been trying to coordinate with independent cybersecurity institutes and cybersecurity companies that provide skills training, and asking if they can provide courses and training.

For example, there are cybersecurity courses that cost $10,000 for one person. No organization, especially an NGO, can send one person to a training course for $10,000.

So what I was thinking over the last few months is: How can we go to these organizations and talk with them about why social impact is important? Rather than bringing people with all this expertise from the private sector, why don’t we support people in the public sector, in NGOs, with the skills, courses, and professional development they need so they can rise as much as possible to the level of people in the private sector?

Bring in collaborators instead of trying to fund new programs yourself.

Exactly. I think we are at the stage where we need to invest more in humans, not technology.

I’ve attended hundreds of conferences about technology. Every NGO and human rights organization I saw spent a lot of money on technology: how to make AI good, how to get tools to reduce the amount of work, how to buy services and technology.

That’s good. It will make your life easier. But in the future, the question is: How will all these tools and services run? They will not run alone. Even AI will not run alone. It needs a human approach to work with all of this technology.

If you don’t invest now in humans and put all your money into technology, in the future you will not have the impact of that investment.

“One of the things I really like about my team is that everyone is an activist. The team has ethics.”

When it comes to AI, do you not use it at all? What’s your policy?

It’s a very complicated relationship with AI. In our work, we don’t use AI at all, because we deal with very sensitive information: people’s information, beneficiaries’ information, and requests that come to us through the helpline.

We recently built an internal AI policy: when we can use AI, how we use it, what kind of information we use it with. One of the things we need to think about is what private information and public information mean.

For example, if there is an article online and you want a summary of the article, fine. You put it into AI and ask for a summary because it is already public information. But imagine, Morgan, you send me a very private request to do something, and I put it into AI to translate it or give me a summary. That is a red line I don’t want to cross.

We’re talking about trust. How will beneficiaries trust us in the future if they know that we are using AI to analyze their case or translate what they send to us?

The minute you bring AI in, your security is compromised.

We are not developers. We don’t develop our own tools. We are trying to use tools. So one of the things we do is analyze tools before deciding to use them.

We ask: How does the tool store information? How does the tool use AI? What information is collected from people’s devices? How is that information collected? What is the data retention? Who are the developers? Where is the tool based?

If you tell me the tool is based in a very repressive country, like Russia or Korea, that is definitely a bigger question because the data center will be monitored by the government.

So we ask ourselves all these questions. If we have answers, then we may use that technology. If we don’t have answers, we prefer something less advanced but with protected information.

Any organization that gives us funding, we vet them. We have refused a lot of funding offers from big companies. Any funding that comes to us cannot require us to promote its technology. We don’t even use their technology sometimes. Maybe they fund us, but we think their technology is not suitable for the helpline or Access Now, so we don’t use it.

I always look at the ethical side of our work. It’s not only the professional side. One of the things I really like about my team, Morgan, is that everyone is an activist. The team has ethics.

I feel like the Silicon Valley philosophy of “move fast and break things” leaves the ethics for everybody else to pick up. They’ve abandoned it to make progress, and the rest of us have to dedicate so much time and energy to bringing ethics back into conversations around technology.

One challenge now is that there is a lot of money being spent on technology all over the world. Even small organizations in the private sector and NGOs are talking about how to make life easier, how to analyze information, and how to generate reports.

But ethically, how is this technology controlling our lives? How is this technology taking all the information and saving it in a very bad place, and then it gets leaked and everyone knows about it?

We need to ask ourselves these questions as organizations that deal with a lot of sensitive content and sensitive information.

We’ve sacrificed so much for efficiency and profit. It’s time to slow down and bring ethics back into the room.

“Is protecting your device based on technology? No… This is a behavior problem.”

Back to the helpline: Do you find yourself giving generally similar advice a lot of the time, or is it more specifically tailored to each organization?

We don’t repeat the same advice. It’s based on the risk because we don’t give general advice. We give specific advice to people. That’s why preventive work takes more time on our side. Sometimes it takes six or seven months because we want to do risk assessment, understand the threat model, understand the needs, and understand the resources you have.

All of that will tell us what approach to take. That’s why we go slowly. We don’t rush advice. We want to understand your needs first, and then we give advice.

I always say that we are like hospitals, doctors, and nurses. Can I give you medicine without a scan? Can I give you medicine without a blood test?

As I’ve been researching, security has come up over and over again. I know you said you don’t do general advice, but are there specific things people can do to protect themselves?

I will give you the best advice I’ve learned in the last 20 years. I think the risk is not from technology. I think the risk comes from behavior—our behavior using technology. Technology is just a support system. You want to do something, you use your computer to do it. That is how technology supports you. That’s why I always say the problem is not with technology. Technology is trying to help us. The problem is how we use that technology.

It’s important to look at protecting your information not only by learning how to use secure tools, secure technology, encryption, or good services. No. It’s also about changing your behavior toward technology and your daily use. We need to think: What are we doing that makes technology become a threat, not a supporter? It’s a very simple question.

What habits and behaviors do people typically have that pose the most risk?

How many people update their apps? How many people update their operating system on their device? How many people know that a link is bad and not to click on it? How many people communicate with people they don’t know?

How many times do people add people on Instagram and Facebook and receive messages from people they don’t know? How many times do people receive a message on WhatsApp, download it, and not know who sent it?

Do you know what each app on your device does? You download it, but do you know what each app does? Do you have a password on your phone?

The big question here is: Is protecting your device based on technology? No, because I can put a very weak password. The device will not tell me, “Don’t put that weak password.” It will accept any password

This is a behavior problem.

Morgan, I’ll ask you a question. How many times do you restart your phone in a day?

In a day? Not very often.

One of the most important pieces of advice I want to give people is to restart your phone at least twice a day. Because we found that some government spyware stays in the temporary memory of the phone. If you restart it, it removes the spyware from your device, and they need to infect you again.

So this is a small thing you can do daily, but people don’t do it.

Another question, Morgan: How many times do you close your computer at the end of the day? Not put it to sleep, but close it, because you’re too lazy to not turn it on the next day.

Someone told me, and I was shocked, “It’s been four weeks since I closed my computer.” That’s a big problem. That’s behavior. It’s not technology. Then they complain, “My computer is slow. There are a lot of things happening. There is a sound. It’s overheating.” All of these problems can happen because we didn’t close our computer.

“Build your safe environment inside social media. Don’t let social media lead you. You lead it.”

Would you say we’re encouraged to use technology in a risky way? I’m thinking of Apple designing phones around quick charging bursts. It’s not “turn your phone off at the end of the day and let it charge for hours.” It’s “keep your phone on all the time, unplug and replug whenever you need.” Same with laptops.

And with social media, people’s data is being mined, and that’s the point for tech companies. You are the product. I feel like the risk posed to the average person is that their habits and behaviors are being formed around being data cattle, basically. What’s your reaction to that?

That’s true, but still, I want to use social media. I still want to be online. I don’t want to be totally cut off from social media. I don’t advise people to leave social media. If you want to use social media, use it. The question is: What do you post on social media? What are the settings? Is it open? Is it private? I don’t have social media on my phone. Everything is on the computer.

Why is that?

Because a lot of these social media apps have specific permissions that allow them to collect information, track you to other apps, and make you spend more time in social media. Instagram does not allow you to post unless you are on your phone. That’s why I don’t have Instagram. If you don’t allow me to post from a computer, then I will not use it. Sorry, I don’t care.

Social media will not force you to post a picture. But you decide to post a picture that contains your location, people in the background, their faces, or a sign in the background that shows where you are or where you spend your time.

I feel like a lot of social media apps are designed to have you zone out — the algorithm, the flow state, not thinking very much. And you’re saying to interrupt that, be vigilant, and fight against the way the app is designed.

Yeah. Build your safe environment inside social media. Don’t let social media lead you. You lead it. In this way, you can protect yourself.

“If we answer questions like: What’s the risk? How do we manage the information? Who has access to the information? Then it helps us understand what [security] technology we want.”

I work with a lot of organizations dealing with very sensitive datasets. For example, one prison rights organization where they are interviewing LGBTQ prisoners who are very much a target of the US administration right now, especially trans prisoners. They are doing survey work and have a dataset that is very sensitive and targeted. Do you have any advice, practices, or tool recommendations for situations like that?

We need to ask ourselves what the threat model is. I don’t know the threat model here. But we need to ask: How are we collecting this information? Where are we hosting this information? Not only the technology, but also the country where we are hosting it, because if we are hosting in a country that prevents access to data, that is different from hosting in a country where the data center is open and can be accessed legally or otherwise.

Based on that risk assessment and understanding the needs, it will lead us to know what technology we want. For example, I may want to use this technology and data center, but I don’t want to use a data center in the US, I want to use a data center in Switzerland, or in Europe because of GDPR [General Data Protection Regulation]. I want to use this technology because it’s encrypted, or this technology because it’s open source and I trust open source more than a private company.

If we answer questions like: What’s the risk? How do we manage the information? Who has access to the information? Then it helps us understand what technology we want.

I’ve heard Iceland is a good place to keep data because they have strong data protection laws. How feasible is that for a really small grassroots community organization? Or what would you suggest as low-budget data security for activist organizations?

There are a lot of private companies now that have data centers in Iceland. So when you pick that service, you need to look at where they are hosting the data.

But Iceland is just an example. Today it is Iceland, yesterday it was Switzerland, tomorrow I don’t know. These data-retention and legal situations keep changing.

I would think about encrypting the data and then hosting it anywhere, rather than keeping the data unencrypted and hosted in a very strong country. In the future, that situation could change, and then all my data would be at risk.

For the independent journalist or researcher, what questions or prep should they be doing?

The biggest question, if you are a journalist, is to think about how you are getting information, how to protect your source, how to communicate with your source, how to protect the information you get from your source, and how to use that information without exposing your source.

As a journalist, a lot of information comes to you. One risk is that your source gets exposed, and you will be at risk.

You need to always think about the communication that is happening. A lot of journalists, to be honest, don’t encrypt their communication with their sources. When the source gets arrested or the journalist gets arrested, all this information gets exposed from both sides.

As far as encryption goes, we’ve had a lot of conversations around Signal. I feel like people’s trust has been shaken in that. How secure is Signal? Should we be using something else?

I think Signal is the most secure app now. The problem is, it’s not enough to use a secure app. The device that hosts the app also needs to be secure. If everything in your phone has good security, but your phone is compromised or infected with spyware, everything in the phone is exposed. So it’s not like securing the app makes you 100% bulletproof. You also need to secure the device itself.

Then the next level is: If you are stopped by the police and give them your password, then even if you secured your app and your device, everything can still be exposed. You need to think about different layers of protection: the app, the device, and a strategy for what happens if your device is confiscated or taken.

You mentioned that you’re reaching out to private-sector collaborators for skills courses they may already offer, but asking them to provide them for free. What other ways are you trying to adapt to the massive problems that have been caused by all of this?

One of the main things is enhancing and providing skills to people in the community. The community is already poor. It doesn’t have money to spend on very expensive people to be on their side. So the best thing, as I said, is to invest in humans as much as you can.

Invest in humans in a strategic way, not a random way. In the helpline, for each position, we have a list of courses and training that position needs. So you’re not investing randomly in people. You’re investing strategically to help someone move from one stage to the next.