Privacy and Security

Comments

(Henry)

Think this belong in GDPR/Privacy bit, but also needs updating


How private is your data on the XR communication services?

Data on our new services is held in an encrypted partition on a server in Switzerland (which has excellent data protection laws). Should we receive the statutory 24 hours notice of a data access request, we only have to shut down the server to make the disk about as much use to the authorities as a brick.

Having said that, data on a public channel in Mattermost, a public forum on UK Forums, or a shared folder on UK Cloud should be considered public -- if anyone in XR can access it, then you should assume there is a mole in the organisation, who can pass it on to the authorities.

All data on any server is accessible to the system administrator of the server. This is why we do not recommend using third party servers for anything in the least bit sensitive. The system administrators of all the XR servers (a handful in total) are all long standing XR members who are trusted by the movement.

Mattermost

The system administrators of the Mattermost server (none of whom are in the UK) ask that you do not share specific details of illegal activity on Mattermost. It is conceivable that the authorities would be able to obtain an injunction to access the server in Switzerland, which would mean it would be closed down, and that would be very inconvenient for the global movement.

Data in a private channel in Mattermost can only be accessed by members of the channel. Only other members of the channel can join new people, so that is the highest level of privacy available to you.

You may notice that private channels created by the XR UK Hub have xrukadmin as a member. This is the login of the Hub on Mattermost, and allows the Hub to add and remove members, rename the channel, etc. This function is there to save you work, so that people can be automatically added to your channels when you invite them, and so you can remove people, and rename or delete channels from the Hub easily, without having to repeat your actions in the 3 different services.

The UK system administrators have access to this login, so they could, in theory, see everything you say in the channel. If you have something too private to reveal to the UK system administrators, then create a new private channel in Mattermost, rather than via the Hub. Of course, you will then be totally responsible for administering that channel, adding new people in, removing people you do not want in it, renaming it (in Mattermost), etc.

Please do not remove xrukadmin from a team or channel that has been created by the Hub without letting the system administrators know right away that you have done so -- if the Hub thinks it can access a team or channel, but it can't, that will cause error messages for your users.

UK Forums

Data in private forums on UK Forums can only be accessed by Forum group members (and the UK Forums administrators). You can check who is in the forum group by accessing the Forum Groups option on the main menu, and finding the relevant group. You can remove people from the group by removing them from your organisation on the Hub (preferred), or in UK Forums (but the Hub may add them back again if you don't remove them there too).

UK Cloud

Data in private group folders in UK Cloud can be accessed by group members (and the UK Cloud administrators), and by anyone you share it with. Again, you can remove people from your organisation (and therefore access to your group) on the Hub.

Appendix 1: Why are there private working groups

This is quoted from a post by the global security expert.[with minor formatting edits]

Something that comes up often is "Why are there private working groups? Why can't we all work in the open?" My own experiences in several large online communities, is that having private areas facilitates thriving, safer communities. A 'regime of openness', on the other hand, tends to seed decay, even paranoia and distrust. While that may seem counter-intuitive, there are a great many reasons why this is so:

Privacy is not Secrecy

First of all, we need to challenge the misbelief that Privacy and Secrecy are one and the same. They are not. To quote a beautiful work of literature, A Cypherpunk's Manifesto (EN), 1993

"Privacy is the power to selectively reveal oneself to the world."

There are things we would tell a sibling we would not a parent; that we would tell a friend that we would not tell a relative or boss. Privacy is the glue of a happy and healthy society, it is how we establish and manage our socio-emotional and physical boundaries.

If I walk up to a couple in the park and demand a summary of what they just talked about, to be included in their conversation, and they refuse, we wouldn't say they are being 'secretive'. Rather, they are asserting their basic human right to privacy.

So it follows that we should certainly not distrust those that seek and affirm privacy, rather those that rally against it, those that demand openness. Further, it should be no surprise that those suspicious of allowances for privacy are often from privileged socio-economic backgrounds.

It must be up to individuals when they choose to be open. This is only something that a de facto of privacy, alongside a basic right to anonymity, can provide.

Whole community poisoning

Private working groups also protect against a very real threat to online communities: Whole community poisoning. Should a troll or infiltrator, or organised group of such, come to Mattermost (or here on Discourse) and be able to openly join every one of the dozens of teams on this server, every one of the channels and working groups, they can quickly ruin the social and cultural domains this server affords. Having private working groups and/or areas affords us Circles of Trust:

Circles of trust

Allowing members of private channels to manage those same domains encourages a sense of ownership, of trust. In essence, it embodies a decentralisation of trust, in that it is not centrally managed by a vetting process (like a Police file) but rather by transient (a table at a bar) or permanent (a village) communities themselves, through their own experiences (and ever branching degrees of separation).

Like all animals, we meet people, get to know them, and let them closer.

Appendix 2: We need to talk about Google Docs

From the global security expert again (slightly edited to refer to UK comms services).

Green and Black Cross, seasoned professionals in the support of activists in need in the UK, have made a public statement that they will no longer support XR UK. In their statement, one difficult to read, they specifically cite the use of Google (alongside WhatsApp and Facebook messenger) as a risk to rebels, opening them up for deep exposure to Police.

We believe that the way XR stores personal data is inadequately secure (for example, in Google documents and forms). This means that personal data belonging to LOs is likely to be accessed by police.

We believe that the communication channels XR uses for legal observers are inadequately secure (for example, WhatsApp and Facebook messenger groups, public Facebook events and email lists with no bcc). This also means that communication through these channels is likely to be accessed by police.

Their statement raises an old issue here on Organise.Earth [Ed: The server hosting the global Mattermost], one that is a primary motivation for the server existing in the first place: we endanger each other, and ourselves, when we work with surveillance capitalists. So let us stop doing it.

Google is a completely unsafe partner for civil disobedience, activism in general. We can't have a 'regenerative culture' and partner with that corporation. Green and Black Cross are veterans in this space, and we ought to heed their concerns. I share their concerns having assisted at-risk individuals and groups for years with their infrastructure, to keep them off-police-record and safe in their work.

Lists of NCs in a Google Doc - any list of contacts - threatens those in less privileged operational environments, where police request information from Google, which they openly provide, to incarcerate that/those individual(s). It would be great to see us take this to heart and understand that it is uncaring and mutually harmful to continue to use Google products, not to mention WhatsApp (a meta-data harvest), as Green and Black Cross make so clear.

While an XR NL or XR SE (for instance) may find it unusual/paranoid/specious to have such concern, it is a projection of privilege to assume the same jurisdictional/legal environment exists for all, where brave rebels working in difficult conditions are first surveilled (by statecraft, federal police) and then they are jailed, beaten and/or shot. Many of our rebels work in such environments. In the spirit of regeneration and mutual support, it is time for our ethics to be reflected in our communication infrastructure.

Solutions

Use Nextcloud to store and view documents on UK Cloud.
The only reason not to is if you absolutely must have online editing or real-time collaborative editing -- ask yourself is there a different way of working?

The tech team is working hard to make available a Google Docs like interface to enable people to edit documents collaboratively. A view only version is already available, and we are working on porting an editing version to our server.

While functional, do not expect this to be as slick as Google Docs, which has all the massive resources of Google behind it, and has probably cost millions to develop! Remember that the cost of using google is that everything becomes easily available to both commercial and state interests.

In the meantime, only use google docs for things for which you absolutely must have real-time collaborative editing. [So long as your computer is secure]{.underline} you can use the Nextcloud desktop sync app to edit a local copy of documents you are working on and have them automatically updated into UKCloud.

When someone posts a link to a Google Doc, gently remind them that use of Google is provably unsafe, that we need to make the effort to copy its contents out to a document in our community owned cloud. It is not just the content of the document that matters. Even with harmless content the ability to build up a profile of usage and users to infer activity by combining that with other data is a major privacy issue and potential security flaw.

Use Mattermost, Signal or Wire instead of WhatsApp. Owned by Facebook, WhatsApp produces a vast treasure-trove of meta-data and has a notoriously suspect record for data-privacy.

Get off Gmail and other commercial email services. Let us help each other get off GMail. No more sending around sensitive documents in GMail accounts. Use the privacy respecting ProtonMail or Tutanota instead.

Stop using Facebook and other commercial social media for anything strategic or sensitive. This should be done using Signal or Wire, or on UK Forums or Mattermost Chat .

UK Hub -- https://auth.extinctionrebellion.org.uk

UK Forum -- https://base.extinctionrebellion.org.uk

UK Cloud -- https://cloud.extinctionrebellion.org.uk

Mattermost Chat -- https://organise.earth