A Note on Security and Privacy

Technology changes, we need to stay informed

Here is an overview of key privacy and security considerations we should be aware of and keep in mind when providing online and hybrid services to Newcomers:

Additional information and resources

No internet tool offers absolute privacy and security and this is why it is essential for us to stay aware of news, updates, and information directly from the tech providers about the tools they use.

It also means, always update your apps and software to ensure they are secure.

Let’s take Zoom as an example.

Many of us in the sector, like many teachers, professors, businesses and others around the world use Zoom. Zoom is an ongoing lesson in keeping up to date with how the technology you use changes, including terms of service, privacy, etc.

In 2020, when Zoom was starting to be used by almost everyone in our sector, a new story coming out about Zoom security and privacy issues almost every day. For example, it turns out their claims that Zoom was end-to-end encrypted were “exaggerated.” As Zoom gets used more, it is suddenly getting more scrutiny from tech security and privacy experts. The upside of that is that the issues are now widely known, and the company has committed to fixing them.

“Can I still use Zoom? Yes – as long as you exercise some caution. If you’re hosting a Zoom meeting, you’ll need to watch out for a few things.” 

On April 27, 2020 Zoom upgraded to version 5.0 with additional security enhancements. If you haven’t already, upgrade your Zoom software. 

By May 30, 2020, Zoom is encrypted-ish. It is important to note that end-to-end encryption was only available to paying customers on Zoom Pro and higher. A lesser standard of encryption is available to free account users. Conversations are ongoing, “but for now, assume that the free version of Zoom will not support end-to-end encryption.”

Aaaaaand, then encryption was back, and for everyone. According to June 17, 2020 blog post, Zoom “will be offering end-to-end encryption for all of users – free and paid – as an advanced feature at no additional charge.”

Be knowledgeable about your tools and what purpose they serve in your work. Let your clients know as well. For example, it’s time to dive into your Zoom settings to learn how to keep uninvited guests out of your zoom event

The reality is that the many of the most popular tools are not always the most secure. Currently, WhatsApp, which is very popular in our sector, is a notable exception.

There are a number of encrypted messaging apps that allow you to not only send text messages, but also make audio and video calls with your clients (also useful: Guide to Secure Group Chat and Conferencing Tools). WhatsApp is on this list, along with many others. I strongly recommend that you use Signal, which is one of the strongest, most secure messaging app on the market. But even Signal is not perfect. Like WhatsApp, using Signal means sharing your phone number. So, secure, but not totally private. A challenge is always to move you, your colleagues, and your clients over to an app that they are not already using, and it does require sharing your phone number. 

Treat everything you do as potentially insecure and not private

For that reason, you are likely to continue to use tools that may not have the privacy and security you need for some client interactions. Get to know the tools you use, stay on top of information about them and how they might be changing. 

For example, do you have a process in place to shift a conversation from a potentially insecure platform to a secure one when you need to? 

If you’re using WhatsApp groups with clients, do you know that group members can see each other’s contact information? Did you know you can create WhatsApp broadcast lists instead

These are not just technical questions, but also process and digital literacy questions that you must understand before using digital tools to serve your clients, even if the tools are encrypted and secure. Educate yourselves, and your clients.

As a lesson to keep on top of the tools you use, on January 6, 2021 WhatsApp updated its privacy terms. It has concerned privacy advocates. Should you stop using WhatsApp? According to Forbes, “In a new FAQ page on its website, WhatsApp has responded to the widespread criticism surrounding its privacy policy update, which comes into force on February 8. The updated terms, which users are being informed of via an in-app update, require that users agree to share personal data, including their phone number, with WhatsApp’s parent company Facebook.

However, WhatsApp has now clarified that the privacy policy has nothing to do with consumer chats or profile data, and is instead related to businesses using the service for customer service purposes.”

The question you might be asking yourself is, can I trust WhatsApp (which really means, can you trust Facebook?)?

Here’s an infographic WhatsApp has published:

Privacy advocates, some who were concerned when Facebook bought WhatsApp that privacy would eventually be eroded, are wary. You must make your own choices, so if you’re using WhatsApp for confidential communication, take the time to determine if the changes WhatsApp is making have a negative impact on you and how you use it.

ProtonMail, an encrypted email service provider, wrote this useful article: Best WhatsApp alternatives that respect your privacy. They provide an important perspective, and nuance in the discussion between privacy and security: “At Proton, we view end-to-end encryption as a core requirement for any messenger app that claims to be secure and private. This means messages are encrypted on your device and can only be decrypted on the device of the intended recipient.

WhatsApp uses end-to-end encryption, so the actual messages are therefore secure on the platform. But this does nothing to stop Facebook from accessing metadata: information about whom you communicate with, from where, at what time, how often, and from which device. As well, when using WhatsApp, others can see your cell phone number.

So, while we can say WhatsApp is secure, it is not private (nor, for that matter, is Signal, which is also connected to your phone number).

Open source code is another important indicator that a service is secure. By publishing an app’s code publicly, anyone can examine it to ensure the app is doing what it is supposed to be doing. We believe open source is one of the best indicators that an app can be trusted.”

They also provide excellent analysis of the tools in this snapshot image (note the “Anonymous signup” row, this indicates whether or not the account is connected to your phone number, which would then be viewable by people you communicate with):

This image from Guide to Secure Group Chat and Conferencing Tools ‘provides a useful decision-making process and decision tree with good questions you should be asking about encryption when it comes to chat and video conferencing/chat tools:

Online Privacy and Security – resources and learning

Protecting your and your clients’ privacy is essential. Moving information, conversations, service online means that you need to become very aware of the tools you’re using and privacy, security, confidentiality. That means understanding encryption.

Here are some useful starting points, to help you better understand and prepare to be secure online. They include information that you can share with your clients as well.

Net Alert 

This site translates new research on privacy and security into clear messages that explain how online threats work and what you can do about them. Among other resources, the site includes Secure accounts – a set of resources to help communicate why securing your digital accounts is important, and easy tips for keeping your accounts safe. Information here is available in English, French, Arabic, Simplified Chinese, Traditional Chinese, Spanish, and Tibetan.

Security in-a-Box – Digital Security Tools and Tactics
The Community Toolkits focus on specific groups of people — sometimes in specific regions — who face significant digital security threats. They include tailored advice on tools and tactics that are relevant to the needs of these particular groups.

Security Planner
Answer a few simple questions to get personalized online safety recommendations. It is confidential – no personal information is stored and they say they won’t access any of your online accounts (Citizen Lab is a trust Canadian source. They also created the Net Alert site/resources above).

Deep Dive: cybersecurity and encryption
A collection of useful articles, guides, and digital security practices for non-profit organizations.

Guide to Secure Group Chat and Conferencing Tools
Which communication platform or tool is best to use? Which is the most secure for holding sensitive internal meetings? Which will have adequate features for online training sessions or remote courses without compromising the privacy and security of participants? Includes a great list of questions to ask/criteria when selecting secure tools or platforms.

Remote Work and Personal Safety
If you’ve got a bit of technical know-how or are connected to people are do, this is an excellent list of resources and tips tips about working from home and ensuring privacy and security.