Communication and Safety Guidelines

As a distributed community, our work will be smoother, safer and more efficient if we all share a basic methodology and set of tools for our communications.

We welcome feedback on this document and our information safety procedures! If you'd like to make comments or suggestions, please use this open Google Doc version of our Communication and Safety Guidelines, which explains our procedure for collecting and discussing new ideas.

We are all free to use other platforms to talk with fellow GVers, but we should always consider using a safer option when discussing work, especially for any kind of sensitive information (discussed below).

Recommended platforms

Writing & Collaboration

  • WordPress: Most GV stories are written and edited using our WordPress websites. Be sure to use a unique, strong password or your GV WordPress account. Log out of WordPress when you are not using it.
  • Google docs/Google drive: Sometimes, we use Google docs to collaborate on stories. If you are creating or contributing to a story in a Google doc, be sure to share the document ONLY with the people who are working on the story. Never use the “anyone with a link” or “public on the web” settings.

Email

  • Gmail: Establish and use a Gmail account for everyday email regarding GV work.
  • Protonmail (more secure): For sensitive documents, such as financial information, you can use Protonmail which has end-to-end encryption, making it more secure and private than Gmail. For maximum security, messages should be sent between two Protonmail accounts, ensuring absolute privacy.

Messaging and voice apps

  • Signal (more secure): Use this for real-time communication with staff, volunteers, partners, sources. Use for communication about sensitive information, especially if you need to reach a person quickly.
  • Wire: (secure alternative to Signal, with similar encryption and use-cases)
  • WhatsApp: Use this for real-time communication with staff, volunteers, partners, sources. Can also be used for communication about sensitive information if Signal or Wire will not work*

* Signal and Wire are the top recommended apps for secure, real-time communication today. While WhatsApp is fairly safe, it is owned by Facebook, and we know that the company collects some data about our messages. Signal and Wire collect the minimum information needed to provide the service that they offer. All of these apps are vulnerable to censorship, and some are blocked in certain countries.

Video chat

  • Jitsi (more secure): Jitsi is a free, open-source service that offers on-demand video communication with a high degree of privacy and encryption. The https://meet.jit.si server can be used to host conversations for free, and is recommended for meetings up to 8 people that require privacy. Jitsi doesn't ask you to sign in or create an account, and saves no information about your activities, making it a more private option than commercial services like Zoom, Skype or Google Hangouts.
    • Note on end-to-end encryption in Jitsi: one-on-one conversations over Jitsi are end-to-end encrypted, and should be completely secure. Calls with more than 2 people may be decrypted on the Jitsi servers in transit, and are thus not end-to-end encrypted, which is a theoretical security risk. Jitsi is still recommended as the most secure option, especially if the identities of participants is sensitive, because their overall service is focused on privacy and promises not to collect personal data.
  • Zoom is a video conference tool that works very well with small or large groups of people. GV uses paid Zoom accounts internally and to host online public events.
    • As with Jitsi, Zoom meetings are encrypted in transit, so someone spying on you won't know the content, but not end-to-end encrypted, so theoretically Zoom could view the content as part of a wiretap or other legal intervention.
    • Previous versions of the Zoom privacy policy were ambiguous, but the current version states that they will never sell personal data they collect about users or use it for marketing. The data they collect is only used to make the product work. Still, if maintaining your anonymity is vital, please use a VPN service when accessing Zoom, or consider using Jitsi instead.
  • Google Hangouts and Skype:  Both offer free, on-demand video communication, though neither offers complete privacy or encryption. Use these when Jitsi/Zoom are un-available and the content and participants in the call don't require absolute security.

 

Handling and communicating “sensitive” information

If you're discussing sensitive information with another GVer, please ensure you are using the most secure platform possible (i.e. Tutanota for email, and Signal for messaging).

Examples of sensitive information:

  • Information for a story that could generate risk for a volunteer, a staff member, the subject of the story, a partner organization, or GV as an organization
  • Personal information – Anyone's street addresses, telephone numbers, email addresses, personal identification numbers, emergency contacts, etc. including your own
  • Financial information – Bank account numbers or logins, credit card numbers etc.
  • Administrative information – Employee personnel records, electronic documents containing confidential information, legal documents, contracts, passport copies
  • Accounts information – User IDs, passwords, and PIN numbers

Protect your devices and data

All editors owe it to themselves, their teams and the whole GV community to keep their systems safe and up-to-date, as well as following best-practices for storing any sensitive information.

Passwords – VERY IMPORTANT!

  • Use unique passwords for every single login you create, especially for GV communications.
  • Use a password manager like KeepassXC (free) or 1Password (paid) to track and securely store passwords in a vault.
  • Never store passwords within a browser (Chrome, Firefox) password manager. Instead, use the browser extensions for the tools above to securely integrate your vault into apps where  passwords are needed.
  • Only store passwords in encrypted format! Use one of the password managers above or, if you need to store them in another type of file, use Veracrypt to encrypt the file in a secure container.
  • Never share passwords over open channels of communication like email or especially Skype. Ideally use encrypted voice, otherwise use encrypted chat like Signal and ensure both parties delete the password from their message history immediately.
  • Set a screen lock on computers and mobile phones that locks within five minutes of inactivity so no one can hijack your logged-in sessions.
  • Change passwords every six months.
  • Notify a core team member if you suspect any of your Global Voices-related passwords are stolen.

Browsers and web traffic

  • Use Chrome or Firefox browsers as a baseline for all work.
  • Always consider how your web traffic — i.e. websites that you visit — can be “sensitive” or put you in danger. Have a plan to ensure it can't be traced back to you.
  • When in doubt, use Incognito/Private Browsing mode in your browser so that all cookies and web history will be automatically deleted and cannot be found later by someone with access to your computer.
  • Private browsing does not protect you from spying by governments who control internet infrastructure. If you are visiting a site that contains sensitive information, or information that is considered illegal, always use TOR Browser.
  • Tor  (i.e.TorBrowser) should be used for sensitive or dangerous web traffic.  It will anonymize you geographically so that your activities cannot be traced to your location.

Email

  • Use Gmail for everyday GV-related communications.
  • Use GV email groups to share and request information that is appropriate for the broader community to see and share. DO NOT send or request sensitive information using GV email groups.
  • Never send sensitive information over Gmail. Instead use an end-to-end encrypted tool such as SignalJitsi, or the ultra-secure email service Tutanota.
  • Before forwarding an email, always consider whether it includes sensitive information and use a more secure channel as necessary.
  • Actively specify when an email is NOT to be forwarded.
  • Never open attachments from untrusted sources or under suspicious circumstances, as they are the leading cause of viruses and malware.

Mobile phones and tablets

  • Set your devices to lock automatically and require a passcode to be turned on or used.
  • Run software updates minimum once a month, or as soon as critical updates become available.
  • Back up the data on your devices – phone, computer, tablet – at least once per month.
  • Ensure all backups of your data are encrypted.
  • Contact your supervisor if you think there is an infection on your device.

Computer operating systems

  • Set your computer to sleep automatically after a short period of inactivity and require a password to wake up.
  • Run software updates minimum once a month, or as soon as critical updates become available.
  • Run an updated, licensed antivirus software.
    • For free antivirus, we recommend Windows Defender for Windows users. We have no free antivirus recommendations for macOS at this time, due to privacy issues with our previous recommendations (Avira and Avast).
    • For paid antivirus we recommend the licensed Bitdefender products, which are available for Windows and MacOS.
      • Annual-term Global Voices contractors who do not have an effective antivirus may request a Bitdefender license for use in their work. To do so, please use the GV Bitdefender License Request form.
  • Back up the data on your devices – phone, computer, tablet – at least once per month.
  • Ensure all backups of your data are encrypted.
  • Contact your supervisor if you think there is an infection on your computer.

Data storage and maintenance

  • Store any sensitive information on your laptop in encrypted directories. Use the free, open source software tool VeraCrypt to create encrypted folders on your computer. If someone steals or confiscates your computer, they will not be able to access the information held in these files, even if they can access everything else.
  • Perform periodic cleanup of all files needed for your work with Global Voices that are stored on your hard drive.
  • Delete anything unnecessary or sensitive that isn't encrypted, including erasing web history, browser caches, and chat logs.
  • Destroy information on hard disks before sending them in for repair or throwing them away.
  • Securely dispose of any physical information (i.e. hard copies of documents related to work, storage media used to store or transfer files, paper documents) when you no longer need it.

GV group lists: Google Groups, Facebook, WhatsApp and RiseUp

  • Join email, WhatsApp and other community groups that are relevant to your work with GV. If you decide you don’t want to be part of a group, tell the group leader.
  • Never send sensitive information to a mailing list or group. If another group member sends sensitive information to the group, remind them that this is risky behavior and ask all group members not to share the information further.

WiFi Networks

  • Change home WiFi account password twice a year.
  • Secure home WiFi with Protected Access II (WPA2) or stronger encryption.
  • When using insecure wifi networks (essentially any unknown/unfamiliar connection), use a VPN or the Tor browser.

Community Support

  • If you get a strange message, your machine is acting weird, or an author contacts you saying that s/he is having this kind of problem, immediately ask for help from any core team member.
  • Communications tools sometimes break or fail to work properly. If this happens, immediately ask for help from any core team member. You don't want these systems to be broken when you need them most. If your own system breaks or fails, use communication tools belonging to trusted people.
  • Remember that when we communicate as a group — on our lists, and within WordPress — each person's habits can affect the whole community. If you have an easy-to-guess password for WordPress, someone could use this to break into our system. If your email is hacked, someone could read many community messages on the Google group. If you think these tips might not matter for you, always think of the community first!

Global Voices logo and a lock icon