Digital security in one place

SHARE Foundation has developed the Cybersecurity Toolkit – an open platform that provides one-stop instructions and possible solutions to problems with websites, applications or devices, allows you to learn more about good practices in the protection of information systems and digital goods and offers advice if you are a victim of technology-based violence or harassment.

“Error 404” appears when you try to open your website, you can’t access your old email account because you don’t remember the password or you are considering which chat app is more secure than Viber? Tips on how to get through these and similar situations and much more are available in one place, making it easier to search when technology fails or your rights are compromised.

The tools are intended for citizens, journalists, activists, but also those with a little more technical knowledge to serve as a reminder. Our goal is to use our own resources and the help of our community to improve the knowledge base, tips and instructions over time so that the Toolkit is up-to-date with the changes in the digital environment.

Journalists, online media, activists and civil society organisations which are experiencing more complex technical problems can contact SHARE CERT at [email protected] (PGP Fingerprint: 3B89 7A55 8C36 2337 CBC2 C6E9 A268 31E2 0441 0C10). SHARE CERT, a special center for risk prevention in ICT systems, monitors and analyses security threats in the digital infrastructure of online and civic media in Serbia and provides them with pro bono technical and legal assistance.



Read more:

Clubhouse – our worst hangover yet!

Clubhouse is not the origin of all evil when it comes to compromising user privacy and the grave consequences of it. But, in the times we live in, where privacy became a household name and a recurrent legal and PR problem for established platforms like Facebook and Google; and with the presence of milestone regulations like the GDPR; one must wonder why would an emerging platform not only disregard all of the above, but also push the problem further in the wrong direction. Even from a business perspective, it does feel like Clubhouse did their market study based on data acquired from ten years ago. It only takes one look at the millions of users that WhatsApp lost this past January after an unfortunate change to their terms of service, to see that users have made a giant leap of awareness around data privacy. This also showed how readily available the alternatives are nowadays. Competitors who invest in privacy, like Signal and Telegram, were ready to welcome the mass migration which forced a giant platform like WhatsApp to backtrack.

Paul Davison one of the two founders of Clubhouse is behind the infamous Highlight app which among other issues was a nightmare for user privacy and safety. In 2020, an ex-employee of Highlight told Verge that Davison’s “entire perspective was always to push for, how do we get users to expose more data in the product?” and that “user trust and safety was completely an afterthought.” At least, we know that Davison is consistent. 

Putting the marketing illusion of exclusivity aside and the fact that the last thing the world needs is another Social Media, Clubhouse stirs curiosity. As a sound enthusiast, I decided to join and check it out. 

In order to be able to invite people across the door of exclusivity – assuming they own an iPhone – one has to grant Clubhouse access to the contact list. Upon doing so, Clubhouse recommends names to be invited, under which you can see how many contacts that person has who are already Clubhouse users. These are shadow profiles, data about users who didn’t submit it themselves but that we volunteer to Clubhouse (and its wide web of servers, governments and third party corporations). Joining Clubhouse and using its features is not only about one’s own data, but also the data of everyone on our phones. Shadow profiles in addition to users’ data, can be used to map social and political groups, networks, of racialized communities or individuals, or of people whose identities or beliefs are criminalized or which are of interest to authorities, corporations and adversaries: BIPoC (Black, Indigenous, and People of Colour), LGBTIQ people, activists, Human Rights Defenders… etc. 

Clubhouse is a voice-based platform & our voices reveal a lot about our emotional and mental state. They can reveal our background, social class, and even personality traits. Our accents, our dialects, the expressions that we use, all tell our stories and the stories of the communities we belong to.

Clubhouse says that “the experience is more like a town square, where people with different backgrounds, religions, political affiliations, sexual orientations, genders, ethnicities, and ideas about the world come together to share their views, be heard and learn.” In the rooms I joined I noticed a certain sense of comfort among users. Which at a first glance is reassuring. Hearing familiar voices, especially in small groups, and especially at night, created an atmosphere of familiarity and intimacy. This led some users to share intimate details about their sexualities, personal stories and advice on migration and asylum seeking, and political debates around sensitive topics. I was terrified for this had to be properly relayed over secure encrypted servers, and within safety measures like knowing who is listening and if they can record what is happening. I dug in Clubhouse’s data use policy (aka privacy policy), and I checked what one can and cannot do on the app. 

The platform, like many, is very ambiguous about how they store our data, and who they share it with and what for. Clubhouse uses servers based in the US which remains short on data protection especially with the extended reach of agencies like the NSA. The app also uses the Shanghai-based startup Agora for its real-time voice and video engagement.  Being based in Shanghai and under Chinese jurisdiction, Agora is legally-bound to comply with the regulations of the Chinese government. Stanford Internet Observatory (SIO) revealed that Agora’s backend infrastructure receives packets containing “metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it. In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel.” This raises serious concerns about the privacy and safety of users discussing issues that the Chinese or the US government consider a threat.

This past weekend (February 21st), a user managed to connect a Clubhouse API to his website, and broadcast the audio chats from various rooms in the app. Clubhouse confirmed the spillage to Bloomberg and stated that they suspended the user which violated the platform’s terms of service. Nevertheless, and using the simple screen grab feature of the iPhone (which Clubhouse so far is strictly built for), I managed to record whatever room I wanted to. Clubhouse did warn me that posting it without users’ consent can result in suspension. But how would they know what I could do with the recording? They can’t. Were the users informed that someone was recording their conversation? No (I asked some of them). Is it only about sharing the recording? Definitely not. An adversary be it a repressive regime, an intelligence agency or a hate group can employ the recording for a myriad of threats. 

Screenshot of the video recording from a Clubhouse room. The recording was deleted after testing.

Clubhouse started with an alerting disregard to user safety which journalist Taylor Lorenz documented through her own experience on the platform. This was followed by various reports about the platform being used to spread racism, antisemitism, misogyny, and a barrage of conspiracy theories.

It all boils down to Clubhouse’s lack of understanding, premeditated or not, informed or not, about the risks of running such a space with such an infrastructure and such basic mistakes.

Who starts a social media platform in 2020 without a block or mute button (though this important feature was added later on). The platform makes commendable statements against abuse in their terms of service, yet it still falls short on the mechanism to address user safety and the process for accountability when there is abuse. Though they claim to address “incident” reports of abuse swiftly, the process raises serious questions. Upon an “incident” report, the platform will keep a “temporary audio recording” which is retained “for the purposes of investigating the incident, and then delete it when the investigation is complete.” Sounds good on paper, but what happens when a for-profit platform, that has major issues with data privacy, transparency, and an alarming infrastructure; is the investigator, the judge and the enforcer of the sentence? And on top of it, they will delete the evidence when they themselves deem the issue settled. Of course, this is not a call to record and document what is being said on the platform. This is to inform the users, and to highlight Clubhouse’s lack of the vision and knowledge that are crucially needed to address such complicated and dangerous issues. Problems other platforms with much longer experience and a wide array of scandals have been struggling with for years. 

Finally, the platform doesn’t provide an easy and accessible option for users to quit. It is closer to entrapment. I wish I was told before I joined that there is no “delete account” button, let alone an easy way. Rather, users are thrown into a Kafkaesque process where it is not clear when I can be freed, how long that will take, for how long they will keep my data, and meanwhile where it will be stored and what for.

For now, I am stuck. Meanwhile, I will keep silent in the Club. I will not give Clubhouse any access to anything I can control on my phone. From inside the Club I can tell you, if you are still standing outside, think twice before coming in. It is a nightmare as it is, but it has the potential of spiraling into a much worse nightmare. 



Leil Zahra is a transfeminist queer filmmaker, researcher and trainer on digital security and data privacy, born in Beirut and based in Berlin. Their work has a major focus on migration, anti-racism, decolonialism, queer politics, and social justice.


Read more:

The 2020 RDR Index: Digital Giants and Human Rights

Despite notable improvements by a majority of most powerful digital platforms in their publicly disclosed commitments and policies affecting privacy and freedom of expression and information, the global internet is still facing a systemic crisis of transparency and accountability, concludes the new report of the organization “Ranking Digital Rights” on Corporate Accountability Index for digital rights in 2020.

Published on Wednesday, February 24, the RDR Index evaluates the work and policies of the 26 largest digital platforms and telecommunications companies that held a combined market capitalization of more than $11 trillion. Their products and services affect a majority of the world’s 4.6 billion internet users.

Digital platforms and telecommunications services users “lack basic information about who controls their ability to connect, speak online, or access information, and what information is promoted and prioritized”, the statement added.

“The most striking takeaway is just how little companies across the board are willing to publicly disclose about how they shape and moderate digital content, enforce their rules, collect and use our data, and build and deploy the underlying algorithms that shape our world,” said Amy Brouillette, research director for Ranking Digital Rights.

The fifth RDR Index has two new companies added, Amazon and Alibaba, while the methodology was expanded with new indicators that examine company disclosures related to their use of algorithms and targeted advertising. Among other experts from around the world, Olivia Solis Villaverde and Bojan Perkov from the SHARE Foundation participated in the preparation of this year’s report.

Results of the 2020 Index

The 2020 RDR Index shows Twitter taking the first place among digital platforms due to its comparatively strong transparency about its enforcement of content rules and of government censorship demands. For its strong human rights commitments, the Spanish Telefónica retained its top spot among all rated companies, including digital platforms.

Of all the evaluated companies, Qatari’s telco Ooredoo ranked lowest as it disclosed less than any other telecommunications company about its governance processes to ensure respect for human rights. The e-commerce giant Amazon ranked last among digital platforms, due to low ratings of transparency and accountability around users’ rights, and for disclosing very little about how it handles or secures user information, and nothing about its data retention policies, despite its deep reliance on user data to fuel its business model.

Since the launch of the RDR Index in 2015, the number of companies that are actively improving the protection of consumer rights and freedoms has been growing, while compared to previous year there has been an improvement among all evaluated companies – except Google and AT&T. Such progress is noticeable even among the lowest rated companies headquartered in restrictive jurisdictions, such as Russia, South Africa, China and the Middle East.

A detailed report is freely available at Ranking Digital Rights.



Read more:

Request to ban biometric surveillance enters European Parliament procedure

As of February 17, citizens of the European Union have been signing a petition for a ban on mass biometric surveillance in order to force the European Parliament, with one million signatures, to include this request in its agenda. At a time when the EU is preparing laws on artificial intelligence, dozens of civil society organizations, numerous activists and experts have called on the citizens of member states to use the unique opportunity to incorporate the protection of freedom and dignity into regulations that will shape the future.

Public pressure on the Union’s legislators is part of the joint, pan-European campaign #ReclaimYourFace which was launched last fall, and in which Serbia also participates through the SHARE Foundation and the local initiative #hiljadekamera, #thousandsofcameras. A campaign to ban mass biometric surveillance in public spaces in European cities has been launched in coalition with the European Digital Rights Network (EDRi) and several European and global organizations.

The petition launched by SHARE at the time, although with no formal influence on national lawmakers, gathered close to 15,000 signatures in just a few weeks.

The citizens of Serbia are particularly interested in the urgent suspension of the mass biometric surveillance project, which is already being implemented in Belgrade, in conflict with the Constitution and laws. With thousands of smart cameras on the streets and squares, our capital city will become the first city in Europe to impose life under constant surveillance on its citizens and visitors.

EU citizens’ signatures for a petition to the European Parliament are being verified. If you are a national of one of the Member States, please sign.



Read more:

Thousands of Cameras

In early 2019, it was announced that thousands of cameras with facial recognition capabilities would be installed in Belgrade, which would put the entire city under the always vigilant eye of smart video surveillance. An informal group of citizens, gathered around the site hiljade.kamera.rs, has since pointed out to all the problems and consequences of surveillance that can follow every citizen as he moves around the city at any time.



Read more:

Information wars during the pandemic

The Covid-19 Information System has been controversial since its inception. We are not sure who made it, under what conditions, or whether the system was made in accordance with the standards of information security and personal data protection. However, the most controversial was the debate on whether the information about the spread of the virus stored in the system are credible.



Read more:

Pandemic for digital rights in South East Europe

Pandemic for Digital Rights – Report

The global public health crisis brought on by the Covid-19 pandemic confirmed that the decades-long discussion on striking a better balance between interests of safety and privacy still hasn’t provided the world with a better framework. Concentration of information, censorship, fake news, security breaches and the government officials response to these violations were some of the most notable takeaways from the report. 

Since 2014, SHARE Foundation has been running the Digital Rights Monitoring Project in an effort to sample violations and assess overall conditions in the online sphere of Serbia. Last year, the project was expanded in cooperation with the Balkan Investigative Reporting Network (BIRN) to include monitoring of incidents in Bosnia and Herzegovina, Croatia, Hungary, Kosovo, Montenegro, North Macedonia and Romania. Given the current global situation, the first joint report coincided with the Covid-19 pandemic, and this led to the uncovering of some worrisome events and trends in the region.

The report presents an overview of the main violations of citizens’ digital rights in each country in the period from 31 January to 30 September 2020. Following the analysis, a list of recommendations for authorities is proposed in an attempt to curb gross digital rights violations in future situations of social crisis.



Read more:

  

SHARE: Complaints against 16 global tech companies

On Thursday, October 1, SHARE Foundation’s legal team filed misdemeanor complaints against 16 global tech corporations following their failure to appoint representatives in Serbia for more than a year, as is mandated by the Law on Personal Data Protection.

Companies that own platforms for providing various services, such as Facebook, Twitter, Amazon, Netflix or Airbnb, process huge amounts of Serbian citizens’ personal data, while citizens are not able to directly exercise their rights, and are instead left to engage in automated communication with robots.

Last fall when the new data protection law came into force, SHARE Foundation launched a campaign to inform citizens about their rights, as well as companies about their obligations. The first misdemeanor charges were filed against Google and Facebook. After a long correspondence with the Serbian Data Protection Commissioner, Google LLC was the first and so far the only company among the tech giants that appointed its representative in Serbia. Mark Zuckerberg’s corporation did not oblige the Commissioner with an answer.

Thanks to Google’s representative in Serbia, we were recently able to record the first domestic case of a successfully realised right to be forgotten. Of the “smaller” global corporations, the representative in Serbia was appointed by the owner of the commercial flight search service eSky, while the Dutch owner of the Serbian-language platform KupujemProdajem already had a local representative.

Misdemeanor complaints were filed with the Commissioner for Personal Data Protection, authorised to initiate an inspection procedure and impose fines in the amount of 100.000 Serbian dinars (RSD) for the company and 20.000 RSD for its director in case there is a violation of the law.

Unlike the European General Data Protection Regulation, based on which our law was written, the fines in Serbia are symbolic, especially for global companies that make unimaginable profits off of the data of citizens around the world. However, we believe that they would show that the competent authorities of the Republic of Serbia apply the law that protects our citizens when companies do not operate in accordance with domestic regulations.

Misdemeanor complaint (.pdf)



Read more:

SEE Digital Rights Network established

Facing a rise in digital rights violations, more than a dozen rights organisations have agreed to work together to protect individuals and societies in Southeast Europe.

Nineteen organisations from Southeast Europe have joined forces in a newly-established network that aims to advance the protection of digital rights and address the growing challenges posed by the widespread use of advanced technologies in society.

Initiated by Balkan Investigative Reporting Network, BIRN, and SHARE Foundation, the SEE Digital Rights Network is the first network of its kind focused on the digital environment and challenges to digital rights in Southeast Europe.

The network brings together 19 member organisations – from Bosnia and Herzegovina, Croatia, Greece, Kosovo, Montenegro, North Macedonia and Serbia – dedicated to the protection and promotion of human rights, both online and offline.

Each is committed to advancing their work on issues of digital rights abuses, lack of transparency, expanded use of invasive tech solutions and breaches of privacy.

Since the onset of the COVID-19 pandemic, Central and Southeast Europe has seen a dramatic rise in the rate of digital rights violations, in countries where democratic values are already imperiled.

“This endeavour comes at a moment when we are seeing greater interference by state and commercial actors that contribute to the already shrinking space for debate while the exercise of basic human rights is continuously being limited,” said BIRN regional director Marija Ristic.

“The Internet has strong potential to serve the needs of the people and internet access has proved to be indispensable in times of crisis such as the COVID-19 pandemic. Our societies are becoming more digital, which presents a powerful incentive to increase the capacity of organisations dealing with digital developments and regulations in our region.”

During a first joint meeting, the members of the network agreed that the challenges posed by the fast-evolving tech solutions used by states have led to infringements of basic rights and freedoms, while false and unverified information is flourishing online and shaping the lives of people around the region. The online sphere has already become a hostile environment for outspoken individuals and especially marginalised groups such as minorities, LGBTIQ+ community, refugees and women. 

“Digital technology is profoundly changing our societies as it becomes an important part of all spheres of our lives, so we see the diversity of organisations that joined this network as one of its biggest strengths,” said Danilo Krivokapic, director of the SHARE Foundation.

“We can learn so much from each other’s experience, as we have similar problems with governments using technology to exert control over society, especially in times of crisis such as the COVID-19 pandemic,” he said. “It is also important that we act together when we are trying to restore the balance between our citizens and big companies (Facebook, Google etc) that hold enormous amounts of our personal data and through this exert significant power over us.”

The network’s aim is to build on the skills, knowledge and experience of its members to achieve common goals such as strengthening democracy in the region and protecting individuals in the digital environment.

While cherishing the values of safety, equality and freedom, the work of the SEE Digital Rights Network will be directed at achieving the following goals: to protect digital rights and internet freedoms, enable people to access accurate information, make the internet a safer place, detect and report hate speech and verbal violence online, especially against women and other vulnerable groups, identify online recruitment, which can lead to exploitation, take control of personal data, work to prevent the implementation of intrusive surveillance systems, hold governments accountable for the use and abuse of technology and improve digital literacy in order to prevent violence and exploitation.

The network will aim to increase the level of understanding of complex and worrying trends and practices, trying to bring them closer to the general public in a language it can understand. By creating a common space for discussion and exchange, organisations and the media will be able to increase the impact of their individual efforts directed towards legislative, political and social changes.

The organisations that have joined the network are as follows:



Read more:

Pandemic politics in the Western Balkans

In response to the COVID-19 pandemic, countries around the world have introduced various legal measures and technological solutions, which have raised particular concerns for the respect of human rights during this global public health crisis. In such circumstances, privacy and personal data protection were among the first victims, while other rights, such as freedom of expression and information, followed soon. The Western Balkans are no exception – during the pandemic, there were many cases of violations of digital rights and freedoms, which threatened to further reduce the overall human rights situation riding on the public fear of a major health crisis.

The policy paper “State of pandemonium: Digital rights in the Western Balkans and COVID-19” authored by Danilo Krivokapić, Bojan Perkov and Davor Marko aims to point out how major crises affect basic democratic achievements and highlight that the pandemic must not be used under any circumstances to irreversibly reduce human rights standards, especially not by using intrusive technologies. The authors’ findings highlight that there are already many problems in the Western Balkans regarding digital rights and freedoms, especially when it comes to privacy and security of personal data, disinformation and attacks on journalists, which only worsened during the COVID-19 pandemic. 

The authors point out that the adequate implementation of policies and regulations in the fields of data protection and information security, enabling the development of a favorable environment for unhindered work of journalists and media, as well as improving digital literacy and digital competencies of citizens are steps of key importance for the future.

Read more: