News

Gratefully appreciative of the partnership with Women of Uganda Network (WOUGNET) and Digital Human Rights Lab (DHRLab), I sincerely thank you for the opportunity and confidence exhibited in me while the one-week digital security training took the centre stage. 

End-user training, which varies dramatically in scope and length, typically convenes some mix of human rights defenders, activists, and media producers (bloggers, journalists, or citizen reporters) to focus on tools, tactics, and concepts that facilitate the safe use of digital platforms and tools. I am glad to have been part of the 5-day ToT training designed to build the capacity of trainers from 5 districts in Uganda (Kabale, Lira, Kampala, Kabarole, and Jinja) who later trained 120 university students, women politicians, artists, activists, journalists and law enforcers in Uganda. Relatively, a small pool of security experts capable of training in the digital security/ safety and development fields limits the degree to which this community can grow and respond rapidly.

Cumulatively, these efforts endeavor to support civil society, human rights defenders, university students, law enforcers, activists, and journalists in their attempts to access, and communicate information in repressive contexts without compromising themselves or their colleagues. Targeting women survivors of Online Gender-Based Violence was always going to be NOT only a good thing BUT also the only path to securing their online presence and encouraging meaningful participation.  

Cyber security training has come a long way in the last few years. Back in the day, security training was largely reserved for IT security specialists and then extended to include IT personnel in general. These days, all Human Rights Defenders, and activists need to be well educated in security best practices and good habits if the organization wishes to avoid ransomware and Malware. Based on the 5 day’s digital security training; the following were some of the feedback or achievements, WOUGNET got from the training;

My experience and that of the participants during the digital security training raises questions on how secure messaging applications are, majorly on day four where we discussed secure communications, understanding examples of chat applications and the safety functionalities such as that of WhatsApp, Telegram, Instagram, and others and identified which ones were safe and not safe. The subject was majorly on WhatsApp messenger because it’s widely used around the globe. Also, the structure of the internet called metadata explains how we are secretly interconnected when accessing and sharing information. The prominence of social media platforms can be due to two main reasons; Facebook does not require the verification of users on signup (such as providing a phone number), making it easier for one to hide their identity while using the platform and there are no evident community standards on closed platforms such as Telegram with sole authority resting on the administrator of these large groups while WhatsApp uses phone numbers which then accesses the contact list

While participants suffered from offensive Online Gender-Based Violence threats on WhatsApp, they were often doxed when added to groups known as WhatsApp groups without their consent simply because someone has your number. 

From my point of view, I would say WhatsApp is a communication media platform that is worrying and out of regulation and yet we can’t do much about it. We can say the Facebook community standard is weak but the good thing is that it has a regulatory system and this community involves WhatsApp, Instagram, and Facebook.

WhatsApp’s announcement on Friday, September 10th, 2021 rolled out provision for end-to-end encryption of chat backups that we usually store on the cloud. This is done by both Android and iOS users, and it’s a way of storing information such as photos, videos, and chat messages so that in case you lose your phone, your information can be retrieved which can now be done in a secure manner for the application users.

As of 2021, approximately over 2 billion people use WhatsApp and is the most popular global mobile messenger app worldwide outranking Facebook Messenger at 1.3 billion and We Chat at 1.2 billion users. Compared to other chat applications, Facebook first owned a messaging platform that had end-to-end encryption (E2EE) for personal messages, calls, video chats, and media between senders and recipients as far back as April 2016.  In case of loss or damage of a device, information was to be backed up on the cloud to enable the transfer of the backed-up information to a new device. However, the process wasn't subjected to the same security protections, making the backups readable by the cloud providers.

How the E2EE backups Work

The cryptographic keys used to encrypt and decrypt the messages are stored on the endpoints. This approach uses public-key encryption. When generating encryption keys and passwords, one has to first enable the E2EE backups. WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android mobile devices. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password. When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM),  specialized and secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup. Therefore, the HSM will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it. 

When Storing Encryption Keys in the Backup Key Vault

The client and HSM-based Backup Key Vault will exchange encrypted messages, the contents of which will not be accessible to ChatD itself.

The HSM-based Backup Key Vault will sit behind ChatD and provide highly available and secure storage for the encryption keys to the backups. The backups themselves will be generated as a continuous stream of data that is encrypted using symmetric encryption with the generated key. With E2EE backups enabled, upon being encrypted, a backup can then be stored off the device (e.g., to iCloud or Google Drive). 

Figure 1: Whatsapp Settings menu

"With end-to-end encrypted backups enabled, before storing backups in the cloud, the client encrypts the chat messages and all the messaging data (i.e. text, photos, videos, etc.) that is being backed up using a random key that is generated on the user's device," it added.

To that end, the device-generated key to encrypt the backup is secured with a user-furnished password, which is stored in the vault to permit easy recovery in the event the device gets stolen. Alternatively, users have the option of providing a 64-digit encryption key instead of a password but in this scenario, the encryption key will have to be stored manually given that it will no longer be sent to the HSM Backup Key Vault.

Figure 2: 64-digit encryption key

Unencrypted cloud backups have been a major security loophole and law enforcement agencies have been able to access WhatsApp chats to gather incriminating evidence pertaining to criminal investigations. 

Facebook's chief executive Mark Zuckerberg in a post said, "WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems".

Written by 

Nyapendi Esther

---------------------------------------------------------------------------------------------------------------------------------------------

This article is part of a series of posts by trainers of trainees during the online safety and digital security capacity building workshop conducted by Women of Uganda Network (WOUGNET) under the project, Enhancing Women’s Rights Online through inclusive and effective response to online Gender-based violence in Uganda. The project is funded by the Digital Human Rights Lab which is implemented by betterplace lab and Future Challenges under a grant agreement with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) Programme Strengthening Governance and Civil Society in Uganda, funded by the German Federal Ministry of Economic Cooperation and Development (BMZ) under its Digital Africa Initiative.

Violence against women both online and offline is a violation of human rights, with devastating physical and psychological impacts on both survivors and victims. As the COVID-19 continues to rip the economies apart, it has also indirectly led to an exponential rise in the instances of online gender-based violence. The standard operating procedures (SOPs) introduced by the government to isolate a number of women to be at home leave them with no alternative other than using the internet to communicate with distant relatives and friends and also work from home. These expose women to online gender-based violence, including threats like cyber-harassment, trolling, doxing, non-consensual image distribution, and others. The transition to the online space has left many women vulnerable to online gender-based violence (OGBV). In Uganda, one in three women has experienced a form of online GBV.

Women stand at a higher risk of suffering from online gender-based violence compared to men, through a continuum of multiple, recurring and interrelated forms of gender-based violence. Online GBV has worrying effects on women with inadequate digital safety skills.

On top of paralyzing the world economies, COVID-19 has led to a surge in the violence against Ugandan women on the internet. Additionally, cyber-attacks such as phishing have been on the rise.

In the past year, Google has been blocking 18 million COVID-19 related emails sent by scammers to Gmail users every day in an attempt to persuade victims to download malicious software, steal sensitive information. 

Malicious cyber actors are devising new tactics to launch cyber-attacks and commit online gender-based violence-related crimes. Therefore, digital/online safety awareness for women is more important than ever before. 

Humans are the weakest link in cybersecurity, most cyber-criminals target the humans end-point through social engineering attacks also known as human hacking since it’s easy to exploit human behaviours and most people are not cyber-aware. Digital safety is everyone’s responsibility, a weakness in one internet point or user is a threat to others in the same network. For instance, if a user doesn’t use a lock screen on his/her mobile phone and the mobile phone gets stolen, that user puts his/her contacts (phone numbers) at risk of cyber-attacks since criminals can use these contacts to send phishing emails and links. 

All of these circumstances call for digital safety training for women and girls in Uganda. Gender-based digital security includes training women and girls to protect their identities against cyber-attacks and online gender-based violence cases. It is these occurrences and observations that inspired Women of Uganda Network (WOUGNET) in collaboration with Digital Human Rights Lab (DHRLab) and GIZ Uganda to organize a workshop on online safety for women politicians, journalists, artists, university students, law enforcers, and policymakers in Kabarole and other districts. The virtual digital safety training happened from the 6th to the 10th of September 2021. The workshop covered different topics that address the digital safety challenges that are commonly faced by Ugandan women online.

The workshop empowered the participants with skills and knowledge to identify, prevent and report cases of online gender-based violence. The participants were equipped with the following skills; password management, secure browsing, encrypting data (both at rest and in transit), device management, and risk management. 

Katuutu Shakillah, a participant, commended the work of WOUGNET and its partners for organizing the workshop. “I have learnt several concepts such as secure communication, digital security, password management, among others”, Shakillah said.   Additionally, some participants asked the facilitator if WOUGNET could arrange more of these training sessions in the future. “We need more of these workshops”, Sheila Tusiime said.

At the end of the workshop, the facilitators were able to shape up a group of people that not only respect all genders and identities online but also advocate for an inclusive and safe place on the internet for all.

By Kalema Christopher

-------------------------------------------------------------------------------------------------------------------------------------------

This article is part of a series of posts by trainers of trainees during the online safety and digital security capacity building workshop conducted by Women of Uganda Network (WOUGNET) under the project, Enhancing Women’s Rights Online through inclusive and effective response to online Gender-based violence in Uganda. The project is funded by the Digital Human Rights Lab which is implemented by betterplace lab and Future Challenges under a grant agreement with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) Programme Strengthening Governance and Civil Society in Uganda, funded by the German Federal Ministry of Economic Cooperation and Development (BMZ) under its Digital Africa Initiative.

WOUGNET is a non-governmental organization that promotes and supports the use of ICTs by women and women organizations in Uganda so that they can take advantage of the opportunities presented by ICTs in order to effectively address national and local problems of sustainable development. 

Over the last decades, there has been widespread use of the personal computer, the ever-present internet, and the massive roll-out of mobile communications. However, the internet has turned out to be a dangerous place for many women and girls, as social media has become a new way to carry out old patterns of oppression and violence against women and girls, as the majority continue to be the target of online harassment, quickly descended sexualized hate speech or threats. 

Based on the research that was conducted by WOUGNET with support from the Digital Human Rights Lab (DHRLab), there was a need to conduct a Digital Security and Online Safety Training for Women and Law Enforcers in Uganda as an inclusive and effective response to online harassment. This involved women journalists, politicians, activists, artists, and University students. The training was executed in 5 administrative regions of Uganda with representation from 5 districts.  This included Kampala, Kabarole, Kabale, Jinja, and Lira of Uganda. 

In this training, I was privileged to serve as online safety and digital security community volunteer a position that enabled me to train participants in the Kampala district. The main objective of the training was to conduct digital literacy and online safety/digital security capacity building training for 120 women politicians, journalists, artists, University students, and law enforcers to improve protection and response to online gender-based violence. 

The training from Kampala district had a total of 22 sessions conducted which tackled topics on the internet, defining digital security and the different elements related to it, chat management, password management, data protection not forgetting encryption. 

From the above information we pondered and asked the following questions to set the pace for our discussion; How much data do you have online? How well secure are you online? How many passwords do you have for the different accounts you own online? Who knows about you online? How many accounts do you have online? 

We explored the different options and checked out the different solutions to online harassment/violence such as hacking, doxing, trolling, online impersonation/identity among other online-related threats. It looks like a light issue but these are serious issues and with one slight mistake, you might be putting yourself at risk from people trying to bring you down or people who are not happy with you. 

If you have ever filled an online form that is capturing your email and phone number and other details like gender and asks you to create a password, you need to know that the number of forms you have filled is the amount of data you have publicly availed out on the internet and you need to know that in case there is a breach on a particular service all your details will be exposed along with the other people associated to that particular platform out there. 

A data scraping activity that was done against Facebook in 2019 led to the exposure of vital data of Facebook users, “exposed data included personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. These included personal information such as their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and - in some cases - email addresses. Although Facebook claims to have patched the vulnerability in 2019” but this information was shared publicly in March 2021 on an online low-level hacking forum. Read more here. 

Therefore, the information you share online determines how vulnerable you are to the public when things take a turn for the worse. 

How can you keep yourself safe when using online services?

• You can use a dummy account in case you are registering online and you are required to have a working email, so don’t stress, follow the links below to create yourself a dummy email that will allow you to access the service you are applying for and then when done just delete the account or create as many emails as possible. This is the only way you can start by being anonymous while enjoying the internet. 

1. https://temp-mail.org/en/  

2. https://emailfake.com/  

How well secure is your online presence? 

• After establishing that you have multiple accounts online, how secure are they? Are you using a password and if yes how strong is your password? During the training that was conducted, we learned how to create strong passwords, and how to manage these overwhelming complex passwords. 

This was a chance for the trainees to learn how to create a complex password that they can easily remember but is hard for others to guess including a computer. Imagine a password that will take a computer 1000 decades to crack? How fulfilling? Well to achieve this is very easy. Check out these few steps hereunder; 

• #1Generate It: You can either think of a password or use a password generator site to create a strong password. 

• #2 Enhance It: You can add your own flair to the password generated. 

• #3 Memorize It: Make it practical. 

• #4 Un-Dictionary It: Remove all vowels and swap with special characters 

• #5 Measure It: Test how strong your password is using this link here  https://howsecureismypassword.net/  

After all this, you can ensure that you have a secure password but what happens when you have multiple accounts and you can’t keep track of all the passwords you have overhead. So all you have to do is to use a password manager. As indicated below, you will also know how to use the website’s password generator.  

How does the password manager work? 

It is a software or application that can generate for you a complex password and save it within its environment and associate it with an account such as  Facebook, Twitter, Gmail, or any other online account. But all these accounts collected inside the password manager are controlled using one main password---the Master password. Some of these tools are both online and offline but online is convenient, such as LastPass. In addition to that, a password manager like KeePass also supports entry for a password for non-web-based accounts. By double-clicking on an entry, KeePass will copy the password for that entry into the clipboard of your computer for 12 seconds. After that time, your clipboard is cleared so the password is not accidentally pasted where it should not be. 

To download KeePass for Windows and for the iOS team you have a tool call Keychain. Read more about Keychain.

The process above puts you at the upper hand on how your passwords can be kept safe. Ensure to create a backup of your KeePass file to a secure location like your google drive or store it in a local external drive just in case your computer gets a problem you won’t be logged out forever. LastPass is okay since most of the time the passwords are encrypted and synchronized online, but ensure you remember your password hint and also the security question’s answer. 

Who knows about you online? 

This takes us back to the first element which is about the amount of information you have online, how famous the website you have an account on determines how many hits you get while online. So if someone tries to search for you or a name that is the same as yours, information related to,  your information will be served in the result list,  and if someone was looking for you this is where the element of doxing come into play and they will use your information for their own activities or even sell your data to the highest bidder. This is highly dependent on the kind of information they have about you. Data mining is the most popular activity out there and the information mined, depending on whom it belongs to, determines how much the buyer will pay. 

How many accounts do you have online? You are not sure? 

Well, don’t worry, just use the tool below to search for your accounts online search for your favorite username using the https://namechk.com/, and the sites you are registered in are turned purple while anything else is either an error, not registered to that site and not just available. So, the number of accounts you have determines how vulnerable you are in case of a system hack somewhere. You can be at risk of doxing or even blackmailing. So how can you protect yourself, it’s quite simple to avoid providing personal information online but rather dummy information fillers, unless it’s an official site that you have to be legit and real. 

Online gender-based violence is taking a toll and it’s rising. This is because at times the perpetrator due to lack of knowledge commits crimes such as stalking, trolling, impersonation, doxing among others unknowingly/not knowing it’s a crime. On the other hand, sometimes it's the victims that put themselves out there as prey unknowingly. Those who are conscious about online-gender-based violence tend to trick their victims and as a result, take advantage of the situation. 

With the sensitization of the public about the different effects of online gender-based violence and guidance on how to protect them against these online threats and dangers. Getting tricked and you end up becoming a victim has a much more impact, and more so if it’s a matter that you can sort from a basic digital security training. 

Kindly check out our monthly technical tips and ways that can help you to sort out some of the technical issues related to your computer or mobile. 

Compiled by: Letowon Saitoti Abdi

……………………………………………………………………………………………………………………………………..

This article is part of a series of posts by trainers of trainees during the online safety and digital security capacity building workshop conducted by Women of Uganda Network (WOUGNET) under the project, Enhancing Women’s Rights Online through inclusive and effective response to online Gender-based violence in Uganda. The project is funded by the Digital Human Rights Lab which is implemented by betterplace lab and Future Challenges under a grant agreement with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) Programme Strengthening Governance and Civil Society in Uganda, funded by the German Federal Ministry of Economic Cooperation and Development (BMZ) under its Digital Africa Initiative.

In the world we live in today, with every sphere of life being engulfed by digitalization, either directly or indirectly, it’s only possible that one can thrive within the space when aware of the risks around them, fully equipped with digital skills and digital security tools.

Women of Uganda Network (WOUGNET), a non-governmental organization that promotes and supports the use of ICTs by women and women’s organizations in Uganda with support from the Digital Human Rights Lab (DHRLab) conducted a two weeks’ capacity building training on online safety and digital security in which I took part.

The training was focused on empowering 6 community volunteers and Training of Trainers (TOT)  identified from 5 districts of Uganda. 

The first phase of the training kicked off from 30th August 2021 to 3rd September 2021 with the TOT which comprised a number of 6 participants.

The purpose of the training was to prepare the trainers for the 5 days’ training on online safety and digital security for 120 women politicians, journalists, artists, University students, and law enforcement officers in Uganda to improve protection and response to online gender-based violence.

As a trainer who participated in the TOT, I was able to acquire knowledge in the best approach to handling adult learning. During the TOT, the trainer Mr. Gole Andrew stressed the best methodologies and approaches to handling adult learning. He said adults learn because they want to but not because they need to.

He further mentioned that adults have other priorities that need their attention as opposed to the children who learn because they need to survive in the tough environment in the future.

Some of the approaches and methodology I learned during the training included the use of activities and discussions that allows knowledge sharing and hands-on practice for deepening the understanding of the participants on digital security. Indeed, I found these skills so unique, and special thanks should be given to WOUGNET that it was my first time to acquire them yet quickly adopt them.

Why Online Privacy and Security is Important?

The second phase of the training kicked off from 6th September 2021 to 10th September 2021.

This phase was for the community volunteers from the district of Lira. The training consisted of 25 participants from different fields of work among which included; politicians, journalists, artists, University students, and law enforcers.

The purpose of the training was to improve the protection of women’s online privacy and security tools while using the online platforms. It was also to enhance online safety and digital security through strategic digital literacy capacity skills-building training for the most at-risk women and youth to reduce unlawful abuse or misuse of digital platforms in Uganda.

The training approach was majorly sharing of experience and discussing in detail the online safety tips. The participants all admitted that they were faced with at least one or two online security attacks thus the need to mitigate them. Some of the attacks discussed included; stalking, trolling, doxing, cyber-bullying, hate speech, online harassment, phishing, hacking, and impersonation among others.

As a trainer, I learned that there are quite a number of women, thus say politicians, journalists, artists, University students, law enforcers, etc., that are facing the different forms of online risks in Uganda. It takes an initiative such as digital security capacity building training to mitigate the above-mentioned online risks. Cyber security thrives in the shadows, however, the lighter we shine on it, the better the chances of stopping the adversary.

Recommendation

I recommend that at each level, whether individual or organizational, the need for digital safety should be paramount, knowing that the desire to become a human firewall starts with the urgency and capability of protecting one’s own information.

Therefore, your personal information and your computer are really valuable, and the online violence perpetrators such as bullies, stalkers, hackers among others really know it, so be enlightened by following digital safety tips to keep safe while navigating the various digital platforms.

By Happy Ayomirwoth Ongi

……………………………………………………………………………………………………………………………………….

This article is part of a series of posts by trainers of trainees during the online safety and digital security capacity building workshop conducted by Women of Uganda Network (WOUGNET) under the project, Enhancing Women’s Rights Online through inclusive and effective response to online Gender-based violence in Uganda. The project is funded by the Digital Human Rights Lab which is implemented by betterplace lab and Future Challenges under a grant agreement with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) Programme Strengthening Governance and Civil Society in Uganda, funded by the German Federal Ministry of Economic Cooperation and Development (BMZ) under its Digital Africa Initiative.

Image Credit: image