Privacy and Security Guidelines

Overview

The privacy and security of the public, our partners, and our team members is of the utmost importance to the Uchaguzi team and to Ushahidi.

As such, we have developed these guidelines for our core team to include as part of the training of all volunteers, across all levels and responsibilities. This page is an introduction to our security goals, recommendations, and general requirements for all volunteers.

Uchaguzi Access and Training for all team members

We are asking all reporters and Partners to review and agree to our Code of Conduct (or, lightly put, Code of Collaboration) before engaging with the platform and the project.

In addition, each team member working with data submitted to the Uchaguzi platform requires training and scheduled times for their assigned tasks. According to their assigned tasks, each member will have a set access level.Angela Lungati from Ushahidi is managing these access levels.

While anyone can create an account to have a "member" status, they will only be able to view their reports submitted. All other Uchaguzi access tiered will have various levels of permissions pertinent to their assigned tasks. Only the Admins, Verification, and Publishing team members will have the right to publish posts that can be viewed by the public at https://uchaguzi.or.ke.

Guidelines for reviewers when securing their own browser

  1. Remain logged out as much as possible

    1. Only login when you are actively reviewing reports

    2. Avoid doing other tasks while reviewing reports

    3. This reduces risk of various hijacking attacks

    4. Always log out when you're done. Don't leave your computer logged in and unattended

  2. Check the URL:

    1. It should be: https://uchaguzi.or.ke

    2. Is the certificate valid? You shouldn't receive browser warnings and you should see a green padlock next to the URL.

  3. Use a secure password? How to create secure passwords

  4. Avoid logging in to the site from public or untrusted connections

  5. Avoid keeping copies of sensitive info. For example: don't edit reports in a word doc.

  6. Install NoScript for Firefox or NotScripts for Chrome

    1. Detailed guide to Firefox security addons

  7. If possible: use Tor when accessing the Uchaguzi admin panel

Questions to consider when posting (reviewing) a report to Uchaguzi

  1. Is there private information in the message? Should it be included or excluded?

  2. Will publishing this report endanger the reporter?

    1. Will the reporter be safer if I delay publication? (to avoid clearly and immediately identifying a victim)

  3. Is the report urgent or an emergency?

    1. Have I contacted the emergency desk of my team lead?

    2. Should the item be posted or removed?

    3. Should certain partners also be contacted?

  4. Am I working in a secure location? Is my password ok? How to create secure passwords

  5. Are there any URLs in the report? Are these reports suspicious? Should they be removed?

  6. Is there any code / HTML in the report? This should be removed.

Tips from the Uchaguzi 2010 Case Study

on Security & Privacy:

"The ability to create questionnaires gets people to start thinking about the security that I think needs to be a standard set of questions that people ask for in any installation at all. While the issues of information security, privacy and the possibility of retribution for sharing information was not a major issue in the Uchaguzi‐ Kenya project; it may play a very large role in other election monitoring projects that use Ushahidi or Crowdmap. Risks to people systems and organizations are constantly evolving approaches to security privacy will need to be regularly evaluated."

A security and privacy review should begin with:

  • A discussion of potential risks to the crowd and organizations if they use the platform

  • Plans on how to keep technology hardware (e.g., servers) safe and secure

  • Plans for how volunteers and others should be trained to keep information private and secure, if necessary

  • A contingency plan for security and privacy related events.

Materials