Quarterly Report

Information Safety & Capacity (ISC) Project

Leader Cooperative Agreement Number: FD-A-00-09-00141-00

Associate Cooperative Agreement Number: AID-OAA-LA-11-00008

Period: July 1, 2019 – September 30, 2019

FY2019

Submitted To: USAID/DCHA

Grantee: Counterpart International

2345 Crystal Drive

Arlington, VA 22202

Contents

Acronyms ...................................................................................................................................................... 2

About the ISC Project .................................................................................................................................... 3

Executive Summary ....................................................................................................................................... 3

Successes and Highlights Under Objective 1 ................................................................................................ 3

2019 ISC Global Workshop ........................................................................................................................ 3

Digital Security Trainings and Assistance .................................................................................................. 5

Successes and Highlights Under Objective 2 ................................................................................................ 6

Successes and Highlights Under Objective 3 ................................................................................................ 7

Successes and Highlights Under Objective 4 ................................................................................................ 7

Reflections on ISC's Service Delivery ............................................................................................................ 8

What’s Working ........................................................................................................................................ 8

Obstacles ................................................................................................................................................... 8

Latest Threats ............................................................................................................................................ 9

Country Context and Emerging Changes ...................................................................................................... 9

Asia ............................................................................................................. Error! Bookmark not defined.

Balkans .................................................................................................................................................... 10

Nicaragua ................................................................................................................................................ 10

Tanzania .................................................................................................................................................. 10

Looking Ahead ............................................................................................................................................. 11

Acronyms

AOR Agreement Officer Representative

CSO Civil Society Organization

DSS Digital Security Specialist

DDoS Distributed Denial-of-Service

FY Fiscal Year

ICT Information and Communications Technology

IGIF Internet Governance, Internet Freedom

ISC Information Safety and Capacity

ISP Internet Service Provider

IT Information Technology

LGBTQ Lesbian, Gay, Bisexual, Transgender/Transsexual, and Queer/Questioning

LP Local Partner

MitM Monster-in-the-Middle

NGO Nongovernmental Organization

TOT Training-of-Trainers

VPN Virtual Private Network

About the Information Safety and Capacity Project The ISC Project provides capacity building and information security assistance to civil society activists,

human rights defenders, and journalists operating in non-permissive environments around the globe. To

support those stakeholders in securing their online and mobile communications so they can safely

engage in the online civic space, the ISC Project provides mentoring and technical assistance within the

framework of the following four objectives:

Objective 1: Improve ICT security capacity of local partner organizations;

Objective 2: Engage with specialized audiences and marginalized populations through outreach

and partnership development;

Objective 3: Foster the development of improved technology-based solutions to information

security threats; and

Objective 4: Enable civil society stakeholders to advocate on behalf of internet governance

issues and/or legislation.

Executive Summary ISC digital security specialists (DSSes) trained 354 individuals, most of whom were first-time trainees on

digital hygiene basics such as secure online communications, browsing the internet safely,

circumventing censorship, and using tools designed to protect their civil society work or independent

reporting. ISC DSSes provided technical assistance and support to 37 local partner organizations.

ISC conducted three Training of Trainers (ToT) workshops for expanded the capacity of 26 people who

developed advanced digital security skills and learned new facilitation techniques.

Two advocacy grants under the internet governance, internet freedom (IGIF) objective closed this

quarter: a grant on data policy recommendations in Ukraine and another for a perception survey of

internet users in Sri Lanka on online security risks.

ISC hosted its annual Global Workshop, expanding participation to include over 75 attendees from 26

countries. Over three days, participants discussed cyber security challenges and emerging threats in

their countries, shared digital security tools, and discussed strategies to advance IGIF policy advocacy.

ISC made personnel changes – welcoming a new Chief of Party, Eric Johnson (20 years of internet

freedom project experience in 50 plus countries) and Deputy Chief of Party, Nurhan Kocaoglu (10 years

of experience managing the administration of donor-financed, good-governance projects).

Successes and Highlights Under Objective 1 2019 ISC Global Workshop The ISC organized its annual Global Workshop in Nairobi, Kenya from July 15-17, 2019. Human rights

defenders, journalists, and activists were provided with a unique platform to meet with leading digital

technologists, forage new partnership, strengthen existing ones, and share regional experiences.

Workshop session topics ranged from strategies on how to advocate for a free, open, inclusive, secure,

and democratic Internet, to the ramifications that digital

surveillance and disinformation campaigns have on civic

spaces. The event covered the most up-to-date and relevant

trends and threats in the information security and Internet

governance fields, while gathering leaders in the tech industry

to pair them with frontline activists.

The first day of the workshop featured a series of regional conversations aimed at describing the current

operating environment of our local digital security and IGIF partners in Sub-Saharan Africa, Latin

America, Europe, and Asia. By tracking changing levels of resistiveness and openness, as well as

identifying where progress has been made or proved impossible, participants were able to gain

important lessons learned from their peers and formulate cross-cutting resistance techniques. The latter

half of the day was comprised of our Geek and Greet session, which included product demos and case

study highlights from our technology partners CrossCheck International, Equalit.ie, GreenHost, JigSaw,

Microsoft, Mozilla, and Ushahidi. Ensuring that tool developers are engaging with our local partners (and

vice versa) is key to forming beneficial public-private partnerships.

On the second day, participants led peer-to-peer skill sharing sessions on topics they are passionate and

knowledgeable about, such as new cyber defense products and innovative policy advocacy practices. For

example, there were presentations on digital security applications aimed at securing journalists’ online

communications and a gamification training tool for civil society organizations which helps them

administer their own digital security audits.

The third day of the workshop was spent in facilitated conversation about new and ongoing digital

security threats with the goal of sharing local responses and approaches to combating these issues. 86

percent of attendees responded that they felt threats were similar across all regions represented,

especially within these categories:

• Online intimidation and hate speech

• Lack of access to safe Internet

• Network shutdowns

• Surveillance

• Harmful legislation

• Digital divide and poor ICT infrastructure

• Desire of state to control and regulate citizens

• Restricted freedom of expression

• Organized state trolling and disinformation

• Censorship

• Low trust in journalism

• Extremely rapid and recent expansion of state monitoring and filtering capabilities

Attendees put forward solutions that focused on: practices for keeping data secure; maintaining

feedback loops between activists, civil society organizations, and international development

practitioners; mainstreaming cybersecurity and Internet rights for the masses; and launching

advocacy/lobbying campaigns against repressive information laws and cyber-censorship.

The workshop concluded with a Regional Horizon Scanning dialogue which aimed at generating ideas on

countermeasures and responses to digital security threats that are likely to arise in the coming months.

The outcome of the dialogue was a “wish list” for future programming and ISC support to local partners

in FY20. Participants felt energized by the connections made with colleagues and uncovering similarities

in the obstacles they face, and they requested more regional conferences be organized to create

Global Workshop Participants

26 countries represented

39 local digital security partners

14 technologists from the private sector

5 IGIF experts

opportunities to learn from each other and meet more and varied technologist or developers. The

workshop evaluation surfaced what participants found most beneficial from the event.

Digital Security Trainings and Assistance ISC DSSes trained 354 individuals; 150 of whom were female and 70 percent of whom were considered

youth. Overall, participants increased their digital security skills by 52 percent, according to pre and post

workshop evaluations. Many of these trainings centered on common, basic steps that organizations and

activists can take to secure their work online and operate free from viruses, government surveillance, or

hacking.

Local partners do not get hacked 

• In Bangladesh, 4 members of BD-26, 7 Members of BD-18, and 7 members of BD-9 (all human

rights defenders) participated in a basic digital security training that covered two-factor

authentication, how to use a virtual private network, discovering device vulnerabilities,

recognizing phishing attempts and malware, and ensuring system updates and data security.

• In Bosnia and Herzegovina, 23 participants from an election monitoring organization (BA-01)

and LGBTQ organization (BA-16) were trained on similar basic digital security and awareness.

Local partners get fewer software viruses

• In Cambodia, KH-9, KH-28, KH-45 encountered a series of viruses resulting from unlicensed

software. An ISC in-kind grant gave them official software with automatic system updates.

• In Bangladesh, ISC gave in-kind grants for 75 Bitdefender GravityZone licenses and 27

Bitdefender Mobile Security for Android licenses were provided to BA-01 to protect the

organization’s devices from common viruses.

• In Tanzania, 28 citizen journalists (TZ-04) received anti-virus software.

Local partners have better privacy practices

• In Cambodia, a network of Cambodian CSOs (KH-27), convened a stakeholder meeting (attended

by ISC’s local DSS) and adopted Pshipon as the main VPN provider for all organizational devices.

Local partners have secure communication 

• ISC’s Balkan DSS was asked by MK-08 (an LGBTQ support center) for a secure way to

communicate via group chat in advance of next year’s Skopje Pride Parade (they experienced

leaks in some their online communication). They plan to utilize Signal moving forward.

• 31 local partners in Bangladesh were instructed on how to establish safe communication online

through the use of secure chats, messaging applications, and private video conferencing.

• A group of human rights defenders in Cambodia (KH04), a high-risk partner, faced phone

tapping in the past but ISC’s security audit exposed the vulnerability and they now use Signal.

Local partners have a digital security policy

• In Bangladesh, BD-18, a CSO platform, took the initiative to work on a digital security guideline

this quarter with support from the ISC’s DSS. BD-18 is a platform for dozens of organizations

with unique internal policies and the guidebook will ensure coordinated security practices.

• Graduated LP in Tanzania, TZ-08, developed a digital security policy for nine CSOs to safely guide

the use of ICT infrastructures within their respective organizations.

Local partners have a secure system/network 

• In Tanzania, TZ-11 received an in-kind grant to procure a SOPHOS XG 125 firewall to protect

their network against unwanted traffic, as well as Intrusion Detection and Prevention System for

further network protection. These measures were set in place after the ISC Tanzanian DSS

discovered that the LP was facing close surveillance by state actors.

• A Tanzanian women’s media organization (TZ-07) received an in-kind grant to restructure its

LAN set up and put more security measures in place by configuring a firewall for their office

traffic and installing an intrusion detection system.

• 8 local partners in Ecuador had their network systems audited by the in-country DSS this quarter

who made suggestions on more secure hardware and software, as well as safer ISPs.

Local partners respond to or prevent digital security threats 

• In Tanzania, graduated LP TZ-08 was awarded a grant to advance ongoing work to increase

CSOs’ digital security knowledge in Tanzania. Two objectives were completed this period: 1)

Conduct a security audit and assessment of staffs’ digital security awareness for nine

organizations, and 2) Develop a findings report and draft action plan aimed at fixing current

threats and preventing future vulnerabilities. They uncovered very low digital security capacity

and awareness among CSOs, who are facing dangerous hacking and surveillance by state actors.

Successes and Highlights Under Objective 2 ISC seeks to provide focused support to specialized and marginalized communities who face digital

security threats that are specific or heighted due to their already precarious situation within society.

Women, youth, indigenous populations, religious minorities, and LGBTQ organizations are trained and

mentored within each of the project’s focus countries.

Journalists are better able to investigate digital security threats 

• In Cambodia, KH-9 received basic digital security trainings and continued mentorship from ISC, and their professional and citizen journalists are now able to investigate digital security threats and publish findings anonymously online.

• 29 journalists from TZ-4, a rural press club in Tanzania, did a three-day capacity training on securing their online communication with colleagues and sources and circumventing blocked websites to conduct investigative research and publish their findings safely online.

Marginalized groups are better able to understand and mitigate digital security threats in their

communities 

• Indigenous groups in Ratanakiri, Cambodia, represented by KH-3, were using pirated software until the ISC Cambodia DSS conducted a security assessment and assisted the organization to apply for genuine software through partnership with TechSoup.

• In Bangaldesh, 5 hijra community members and volunteers from BD-15 received technical support in configuring their organization’s Facebook security settings and installing malware removal tools. This was follow-on assistance after receiving training on online threats and how to fix vulnerabilities.

Specialized and/or marginalized communities build strong, sustainable, mutually supportive

networks with respect to understanding and mitigating digital security threats

• In Bangladesh, KH-3 and KH-25 conducted digital security trainings for their network partners, including youth organizations, indigenous conservation groups, and a pro-environment CSO, in very remote areas of the Kampong Thom and Preah Vihear provinces.

• Two basic digital security trainings were done in Tanzania for a rural and women’s-focused press club with special emphasis on the unique vulnerabilities that women journalists face and how to defend against them with the support of male colleagues.

Successes and Highlights Under Objective 3 Tools are tested by local partners (end-users) and feedback goes to developers ISC’s local partners who are trained by DSSes are taught how to evaluate digital security tools, not

simply told which services and applications to use. ISC worked in close coordination with Psipho to test

and provide feedback on the usability of its VPN service around the world, and in exchange Psiphon

created an add-free version of the VPN for ISC staff and local partners.

ISC effectively runs technology grants ISC issued a fifth call for proposals for small technology grant funding that aims to help improve existing

tools and/or services that will benefit ISC’s local partners. ISC received responses from ten organizations,

five are being considered for funding: Great Fire, TAILS, Nothing2Hide, the Briar Project, and the

Guardian Project. Projects in 2020 will include: updates for resource websites, translation of existing

applications into new languages, and improving the code of certain tools operating via Bluetooth.

Successes and Highlights Under Objective 4 Local partners increased understanding or awareness of Internet policy among its target group Ukraine’s Digital Security Lab (DSL) contributed to a number of legal strategy developments through

the CSO consortium Free Net Ukraine Coalition, which supports internet freedom litigation. A recent

example is the case of Enigma.ua, an online media page that was 1 of 18 sites blocked by the Pecherskyi

District Court (Kyiv) in July 2019 for alleged intellectual property violations. The case is currently being

litigated in the Kyiv Appeal Court by Free Net UA Coalition member and former IGIF partner and Human

Rights Platform lawyer, Oleksandr Burmagin, with assistance from DSL. The Digital Rights Agenda, a set

of recommendations for best practice policy adoption was developed by DSL and shared during an

expert discussion with lawyers and human rights defenders in Kyiv with the aim of finalizing and using it

as an advocacy resource to inform policy-driven initiatives and influence public authorities.

Perceptions and Experiences of Online Security and Privacy by Internet Users in Sri Lanka, a study

conducted by partner LIRNEasia made several key findings among Sri Lankan Internet users: Generation

Z (born after 1995) Internet users find it easier to make use of the Internet than for Generations X (born

between 1960 – to 1980) and Y (born between 1981 – 1995) Internet users; Generation X and Y females

progress slowest, while males in the same Generation are somewhat better - Generation X and Y

females are the most dependent and restricted Internet users; and ‘privacy’ and ‘security’ are terms

which are used interchangeably by Internet users, although both of these concepts are not considered

very important by those surveyed. Through ISC support, the Sri Lankan portion of the study will

contribute to the International Development Research Center’s (IDRC) ongoing research project to

examine regional practices in Asia.

Reflections on ISC's Service Delivery What’s Working ISC’s methodology has been adapted, refined, and localized throughout its almost decade-long period of

implementation. The core model of support continues to focus on providing tailored support to human

rights defenders, marginalized groups, and independent media. ISC’s comprehensive model combines

immediate, short-term assistance with long-term, sustainable support.

• ISC starts with an organization-wide security audit of all new LPs, local DSSes identify critical

areas of insecurity and immediately begin the process of providing in-kind grants for key

hardware and software purchases.

• DSSes also assess LPs’ capacity for adopting safe practices online through site visits and train LPs

to raise awareness and digital security skills among the organization’s personnel.

• After assessment and planning, DSSes mentor LPs and provide technical assistance while the

organizations build and deepen in-house security expertise, often through ISC’s ToT program.

Trust, local networks, and collaborative relationships are part of the project’s approach to working

through and around the complexity of political, social, and cultural contexts. ISC has spent years

identifying, building, and maintaining relationships with local experts and cultivating connections with

social media platforms and technology companies. These relationships are critical to the ISC’s success in

helping civil society organizations put in place better digital security practices and restoring safety after

an attack.

Obstacles ISC cannot always provide the level and frequency of support required by our 100+ LPs, especially

because most organizations do not have dedicated IT staff. While ISC’s DSSes are capable of providing

support on an as-need basis, they cannot fulfill the critical role on an internal IT specialist.

ISC’s ToT program is designed to alleviate these pressures by building up a larger cadre of local digital

specialists. This solution has been effective to a certain extent, creating capacity and digital security

skills within organizations, but many LPs require the support of an in-house, basic IT expert. Ultimately,

ISC can only make lasting changes with LPs who are investing in these staff and solutions.

Latest Threats Internet communication technologies (ICTs) are being wielded against human rights activists, journalists,

and civil society organizations by authoritarian actors. Demand for the ISC’s digital security training is

increasing as the frequency and sophistication of these threats evolve and become more widespread.

ISC’s LPs face digital security threats including online surveillance, cyber censorship, unlicensed

software, mobile device insecurity, online harassment, privacy of data, and equipment confiscation.

Illegal Surveillance From Latin America, to the Balkans, and Sub-Saharan Africa, authoritarian leaders have purchased

increasingly sophisticated surveillance technology to better track and regulate citizens.

Trolling, Doxing, and Disinformation These tactics are on the rise as state actors try to shape public debate and perception, often drowning

out independent voices who attempt to uncover corruption or speak out against other injustices.

Harmful legislation Cybercrime laws in Bangladesh, Cambodia, and Tanzania have been used to prosecute marginalized

groups and independent journalists under dubious claims of religious defamation, harming cultural

sensitivities, and even terrorism.

Online and Offline Violence against HRDs and Journalists Activists and journalists in autocratic countries face daily threats of violence against their person and

devices. Para-police groups carry out extrajudicial attacks in the form of harassment, detention,

defamation, and confiscation of equipment.

Country Context and Emerging Changes Bangladesh Media reports surfaced this quarter providing evidence that the Bangladeshi state is now equipped to

monitor, block, and filter online content, including posts published on social media. The Department of

Telecom (DoT) has developed a system under the “Cyber Threat Detection and Response” project which

will be used for around-the-clock monitoring of hundreds of different sites at a rate of about 1,200gbps.1

Law enforcement agencies have similarly tasked the DoT to block content which they deem as

derogatory or harmful. Civil society groups and independent journalists fear that such monitoring will

have a deafening effect on oppositional views and the work of marginalized groups like LBGT

organizations, which are already considered ‘anti-religious’ under a religious defamation law.

1 https://www.thedailystar.net/frontpage/bangladesh-govt-can-now-monitor-block-filter-online-facebook-contents-1802497

Cambodia Scoring 55/100 (partly free) in Freedom House 2018 Freedom on the Net report and 143 in the World

Press Freedom Index, Cambodia is considered a high-risk nation for cybercensorship and attacks to

freedom of expression. This year, the government issued an inter-ministerial “prakas” (or proclamation)

which lays the groundwork for future blocking and filtering of online content. This new anti-cybercrime

law has raised concerns that it will negatively affect independent media, as the country is taking aim at

Facebook users who are community activists and opposition supporters are increasingly subject to the

same pressures as the traditional media. Recent findings of Media Ownership Monitor Cambodia project

shows that about 95 percent of Cambodia’s media outlets are now affiliated with the government and

ruling party. Cambodians now only have access to news provided by major media groups directly linked

to Hun Sen, such as the online news agency Fresh News, which pumps out pro-government propaganda.

Only the Voice of Democracy network, whose radio station was closed, tries to resist on social networks

by streaming live on Facebook. Journalists who still dare to conduct investigative reporting on subjects

the regime dislikes (such as prostitution of minors) are imprisoned.

Balkans HUAWEI is making strong entrance into the Balkan markets and has begun selling their surveillance

technology to regional governments. The telecommunications company has entered into an official

partnership with the Government of Serbia and there are indications that they might do the same with

the Government of the Republic of Srpska Entity in Bosnia and Herzegovina. In Belgrade, HUAWEI has

already started installing cameras for facial recognition and tracking.2

Courts in North Macedonia charged a number of high-profile businessmen with extortion in a

corruption case that also implicates former special prosecutor Katica Janeva. Janeva and the

businessmen were caught trying to blackmail one another with recordings unlawfully obtained by the

previous government through its illegal surveillance program that targeted over 20,000 individuals. The

case reveals how the surveillance scandal continues to hinder anticorruption efforts and puts into

question the security of data collected by the previous regime.

Nicaragua Throughout 2019, numerous cases of abuse and digital attacks perpetrated by state actors in Nicaragua

against our beneficiary groups, private companies, and other opposition groups not serviced by the

project. Political polarization has exacerbated cases of human rights violations in a number of notable

ways; ISC’s local DSS discovered multiple instances where LPs’ computers/hardware were confiscated

from their offices, social media accounts were taken down after state trolls falsely flagged them for

inappropriate content, and DDOS attacks occurred against at least four independent media websites.

Tanzania The passing of a new Miscellaneous Amendment Act 2019 has severely restricted the working

environment for most local partners in Tanzania. The Miscellaneous Act limits the amount of funding a

non-profit organization can receive from abroad and forces CSOs to reveal their donors, as well as a list

2 https://eu.usatoday.com/story/tech/2019/10/16/huawei-surveillance-cameras-spread-china-serbia-and-elsewhere/3995561002/

of intended projects. This lack of privacy has led to the closure of certain projects that the state deems

‘inappropriate’, especially those related to election monitoring or which support LGBTQ communities.

As with many authoritarian countries, state actors are partnering with private companies to increase the

complexity of their surveillance software and techniques. For instance, MNO and Vodacom have been

accused of selling customers’ data to the state without prior consent citing reasons of ‘national security’.

These tools and techniques have been used disproportionately against human rights defenders and

journalists. ISC’s DSS in Tanzania discovered using an OONI Probe that Vodacom was blocking Signal for

an LP activist. Similarly, during a LP assessment, the DSS uncovered that certain ISPs were surveilling and

censoring staff’s browsing as websites couldn’t be reached from their network and users were not given

full access to their network devices’ C-Panel or Hosting root account. ISP companies have implied that

they are forced to comply with state demands or risk having their business licenses revoked.

Looking Ahead In ISC’s ninth and last year, the project will continue its successes and evolve by significantly expanding

the number of countries in which it is engaged. Local DSSes are being hired in:

• Albania • Armenia • Azerbaijan • Georgia

• Kazakhstan • Kosovo • Montenegro

• Mozambique • Serbia • Tajikistan • Zambia

Expansion countries were prioritized based on assessments of cyberthreats, ease of the operating

environment, prevalence of potential local partners, and Internet freedom trends. ISC conducted desk

research, tapped staff knowledge, networked at international events, and consulted USAID to select the

countries. In these new and current counties, ISC DSSes or ToT graduates are expected to conduct at

least one training for LPs and one ToT every month. This ambitious scaling effort will build up a strong

presence of local digital security expertise to ensure the sustainability of ISC efforts as the project closes.

Adding to work under objective 3, ISC is developing tools to will help cybersecurity trainers do their job

more efficiently and effectively. For example, work is underway to develop a monster-in-the-middle

attacks (MitM) solution by creating a Trusted Certificate Checker to improve the online safety of our LPs.

Under objective 4, FY20 onward will shift direction towards countries that exhibit a certain degree of

increased political openness. Past grants (2017-2019) focused on gaps in research, knowledge, capacity

building. The FY20’s multi-stakeholder governance model for selecting proposals will focus on direct

policymaker-facing advocacy. This shift will help ISC support counter restrictive Internet laws and

support policies to promote a free and open Internet in targeted countries where the government has

adopted, or is considering adopting, laws or policies that obstruct Internet freedom. ISC will award and

manage subgrants to at least six and as many as ten domestic Internet freedom policy advocacy grants

to local implementers in Armenia, Georgia, Indonesia, Mozambique, Zambia, Ukraine, Zimbabwe,

Bangladesh, Ecuador and other developing countries. Concept notes will be accepted on a rolling basis

until our resources have all been (well-)used.