 I don't think I have to explain anything. It says it all up there. OK, Michael, you're here. Sure, sure, sure, sure. Hey, everyone, I'm Michael. I work for the International Human Rights Organization Access. And I'm going to be talking about threats to civil society, but also responses to those threats. And I'm actually going to try to focus a little bit more on the response. In the past, we've done this talk at OM in 2013, for instance, and there's very much on threats, which are always exciting and always changing. But it's become more interesting for me anyway on ways of building response to those threats, groups, organizations working together to have infrastructure to be able to respond to these threats better. So I'm going to be talking about these threats briefly, the rapid response to those threats, and then some of the things that we're looking forward to in 2015. So I probably don't need to go too deep into the threats that are being faced by civil society today, but civil society is always going to be at a disadvantage when compared to corporations or governments in protecting themselves from attack. And some of that is just based on capacity. Some of that is because they're focused, they're non-technical civil society organizations or groups. Maybe they're activists, social, political, or otherwise. And they are not interested, or at least initially not interested, in digital security, but rather their activism or their work. What we see is more and more, and we have been seeing this more in the news as well, that groups such as journalists, especially investigative journalists, independent media websites, all varieties of activists in all sorts of contexts, lawyers and others are getting targeted. And what's also interesting is the groups and organizations and foundations that fund and support these groups are also a potential factor for attack, but also potentially a strong ally in providing this additional capacity for these groups. So the perspective that I'm going to be speaking from, wow, that's washed out, but is through our helpline, what we call, which is three offices around the world that focus on providing this rapid response support, as well as digital security advice to civil society groups. The oldest one is based in Tunis. It's been around since around February of 2013. It's got, most importantly, one shift lead into incident handlers. Then we opened an office in San Jose with a shift lead and incident handler, and most recently in Manila with a shift lead and an incident handler. In addition to those core staff members who are available, we also have various support folks, such as technologists, developers, and a trainer. So why there? Part of it, or a lot of it, is time zone. So what we want to be able to provide is somebody who doesn't have to stay up the whole night and in a very unsustainable way provide digital security support to a group or an organization, regardless of what time zone they're in. So by being in these different time zones, we're able to pass jobs from one office to the other during regular hours, and hopefully that makes it more sustainable for us as a support organization. In addition, it allows us to have language coverage in these different regions, as well as regional expertise, relationships with regional organizations, and all of that. So what type of cases have we seen on our helpline? So through 2013, we had around 12.6 on average cases per month. Up to 2014, we're now averaging 37 cases. So what that basically means is we have more than one new case per day. And to be clear, these are external non-tor-exit node abuse cases. So we also run a number of exit nodes, and we handle the abuse of those as well. So cases are increasing. Our capacity is also increasing. And most importantly, what I think speaks to the increasing case load is that our internal workflows and processes are improving. So because we've dealt with problem X before, we can now have a template for that. And maybe we've created a walkthrough or we found the appropriate resources that are online that are effective for that. And so we're looking forward to further solidifying those workflows, and then also making sure that those are audited with other organizations that do similar things so that we're doing the best practice that we can. Looking at these cases from another way, also kind of splitting it arbitrarily between the two years. We've done cases in more than 60 countries. The countries vary pretty wildly. It's not as interesting data as you would think in terms of the rankings, because there were such a higher number of cases in 2014. You could still have a greater number of Malaysia cases in 2014 as you had in 2013, but it doesn't make it to the top 10, that type of thing. So there are a couple of different contexts that maybe are shared between these different countries that we definitely saw. So presidential elections are definitely a ripe time for the targeting of independent media sites or activists, protestant, civil unrest, for sure. One of the interesting things is the prominence of the United States. So in the US, there are many international organizations that are based there that do work elsewhere in the world. And so a lot of that work is actually helping these organizations, such as advocacy organizations or other do that work in a safe and effective way that's not putting their local partners at risk. And so that also speaks to the lack of depth that we've started categorizing things still. We haven't differentiated those cases within the actual target countries. 2014, you have hacking groups, the targeting of LGBTI communities, and as well as independent media and journalists. I'm going to take a brief look at Vietnam, just because it's the number one country that we worked in for this year. And it represents a case that represents a lot of issues that are faced in a lot of places, and it gets them all. So what's interesting about Vietnam is you actually do have access to Facebook, and you do have access to popular platforms that are censored in Iran or China or other places. But what that means is then you have per regime hacking groups and other folks taking advantage of those platforms to try to target folks. So we get a lot of account recovery or compromised accounts. You get a lot of abuse of abuse mechanisms on these platforms. So one of the classic examples of that is real name policy. So this is something that's especially prevalent with Facebook, and for a time was a significant threat because if enough people reported your profile, then Facebook would ask you for an identity card or information, and this would be likely an individual that's working under a pseudonym. And they would be thinking that they're authenticating themselves to Facebook when in fact they might be authenticating themselves to their entire networks, which means they provide their information to Facebook, then Facebook publishes that new updated information to their profile, basically outing them. So that's obviously something that you want to prevent. In addition, Vietnam is interesting because there's a lot of infrastructure, or potentially infrastructure, attacks. On the website side, websites of independent media and civil society groups get targeted, and so there's a lot of needs regarding updating, hardening, DDoS protection, and there's a lot of existing organizations that we can connect groups with, such as Deflect, Cloud Flare's Project Alaleo, or Google's Project Shield that all provide free DDoS protection to civil society. And then of course there's a host of other secure communications and anonymity concerns there. More generally, in the countries and communities that we've worked in, there's obviously a wide spectrum of need, but maybe some of the ones that are most interesting or most familiar to you guys are secure email. GPG encrypted email is still very tough for a lot of folks, and so mail pile is also obviously something that we're anticipating greatly, but we can't put all of our faith in one tool. Secure file sharing and collaboration, there isn't really one cross-platform solution for that, unfortunately, but there are some very interesting ones, so BitTorrent Sync, for example, on mobile, is very interesting, but it's not FOSS. Website security, there's a lot of targeting of websites because there's a lot of poor practices out there, and people have a lot of difficulty if you're a non-technical organization in keeping those websites up-to-date, let alone kind of hardened or secure, and so one of the big needs for a lot of organizations is Western secure hosting, so basically a hosting provider that will proactively make sure that things are up-to-date and protect against threats that are coming out, and unfortunately that costs a fair bit of money and so are out of reach for a lot of these civil society organizations. And then I already talked about real name policy a little bit. So what are some of the ways that organizations are trying to support this work and try to improve this work? So one piece of this is improving the workflows that we have for responding to these attacks. So a number of organizations such as Digital Defenders Partnership, Circle, EFF, Internews, and others, as well as ourselves, put out a thing called Digital First Aid Kit, which is basically the first step towards trying to audit these workflows and how we respond to these situations. But it's not just for the existing community in order to build some type of general foundation of response, let's say, to targeted malware or whatnot. It's also to make it easier to build additional rapid response groups and communities around the world. Because what's most helpful is it's not one organization doing this, but it's a number of organizations at international and regional and local and community levels doing this work. In terms of improving these processes as well, there's been the recent listing of a civil society cert to try to improve this coordination between the civil society community. And you can check it out. It's not accredited yet as a cert. We're also hoping to go through this same process. And a lot of this is to help audit our workflows and help make sure that all the things that we do are our best practice and are easily shareable publicly so that other groups can also build these types of infrastructure and support mechanisms for a civil society. Hello. So this is kind of zoomed in a bit. But one of the interesting aspects of the helpline work that we do and the response that we have is actually only 50% or 51% of our cases are reactive in the sense that someone is urgently contacting us and they need x, y, or z done. About half of our cases are instead people pinging us, most likely organizations or individuals that we already have a relationship with from working with them in the past that are asking for proactive help to secure communications in some variety or implement or try out some tool or have a training on a particular practice. And so what this does is actually put rapid response organizations in a difficult position because they're nominally focused on this reactive type of support. But in building these relationships with these different organizations or groups, you become involved in these more long-term, basically capacity building. And so some of the ways of helping that is by bridging this gap between the rapid responders and the training community. So the training community are the folks that do this type of capacity building for organizations and individuals. But as of now, there isn't a great interaction between the two communities. And so for instance, a lot of the materials that are created for training are targeting end users rather than targeting folks training other people. So a rapid responder doesn't necessarily have a lot of materials in which that they can learn how to best communicate secure communications issues to a given community. But that's getting filled at least at some level. There's the level up project, which is currently being managed by Internews. And there's also the Safe Tag project, also currently being managed by Internews, that are very exciting. Level up is focused on trainers and Safe Tag on auditors of the security of organizations. So these are ways of filling in these gaps between rapid response and the training of end users and trying to fill in what about organizational level, what about getting more trainers that can kind of work in that spectrum. On the other side, trainers often fall into an issue where they're funded to go to a certain place and do a training for a week or five days or three days with a number of different organizations on a set number of topics. And that's all that they're funded to do. And maybe they're not even an organization, but a number of consultants. And so one way of helping support that initial interaction with digital security tools and practices is to have these rapid responder groups supporting the trainers when they're going to these places and coming out of those trainings so that those organizations can continue to engage on those topics. If they have issues with their Thunderbird and Enigmal installation or something like that, they'll have folks that have the capacity to respond in a meaningful manner and all that type of stuff. So those are kind of my pitches for ways of tying those two threads together. On the other side, you also have rapid responders and developers. So a lot of trainers and rapid responders receive very interesting user feedback on these tools because they're working in high-risk environments with targeted communities. And it's the type of information that a developer hopefully would find valuable. However, they don't really have the capacity or time to be going to a developer and trying to formulate their feedback in a bug report or multiple bug reports, et cetera. And so there's not a lot of capacity currently to kind of connect that loop. And so one project that's an exception to that is OpenITP's secure user practice project, which is actually just one person. So obviously, more capacity there would be awesome. For the developers to trainer side, one of the things that we're looking forward to trying to do in 2015 is interact more with the developers of some of these secure communication tools that are relied on by these communities and trying to, instead of the developers having to provide support for these communities, which is great of them when they're able to do it, but also have rapid responders and trainers supporting them when they're interacting. So we're generally, I hope I kind of spelled out in a general overview, the rapid response community. And going into 2015, kind of the continued standardization and auditing of the existing workflows that we have. And part of that is also trying to get it more publicly available so that more groups at a lower level can be built around this documentation and these workflows, continue to focus on specific communities that are being targeted, improving these different interactions between rapid responders and training groups, as well as these loops with developers. Thank you. Michael, here it is. Wow. We'll be taking questions, please. If you, as this thing is streamed, will you please walk up to the mics? Number one, number two, number three, and number four. Talk into the mic so we got it on the stream. The young man, number three is the first, number one will be the second. Okay. Hello, thank you for the talk. My question would be, are you self as an organization being targeted at times and are you careful about that? Do you have any operational security regarding that? Sure, yeah, that's a really good question. So we certainly try to take a lot of precautions in the infrastructure that we build and the practice that we have. So for instance, on the back end, for ticketing, we use Request Tracker, which can be incorporated GPG so that all of the emails that it sends out to folks are encrypted. We have an encrypted Schluter mailing list where we coordinate stuff. We try to, in order to access the Request Tracker in the first instance, you need to connect to a VPN where you're authenticated via a certificate. Then you go to a website that's not publicly available, that's only available through the VPN where you're authenticated via a certificate. Then you authenticate with your account name and password. So I think that's three factors. So we definitely try to implement practices to protect this type of information and make sure that the trust that people put in us is well placed. Okay, thank you. Number one, please. Okay, so the question is about the partner's need for secure file sharing. So what about on cloud? Because I use it in my organization, it's not a frontline situation, but I know the security audits are badly needed, but have you considered it and did you find it unusable because that was the prerequisite? Sorry, what was the tool? On cloud. Unplugged, I've not played around with it. The on cloud project. Okay, I'll check it out. I mean, so that's one of the great examples of what we need to do is have some type or more capacity to be testing out new tools and then once they reach a certain level of we want to be using them, then have them be security audited by the community and then finally incorporate them into the workflows. Unplugged, cool, thanks. Thanks. Okay, do it sequential, number two, please. Okay, Michael, I mean, thanks a lot for a really nice talk. I mean, thanks a lot for all the work. I mean, maybe I'm not so much informed about access, but I was wondering how do you get your funding? And the other question was, I mean, most of the search around, they are private sector search or governmental search and I was wondering, do you find it easy to work with them? Are there obstacles that, you know, on the top of your list that you would like to see removed or issues? Sure, so on the first ask, so we actually have a web page on our website, sorry, websites accessnow.org and we actually have a funding page. I think it's slash about slash funding and it has our funding policy as well as where we get all of our money from, like specifically for each project, for the help line or for access in general, it's like two-thirds foundation and one-third corporate government and individual donation. But you can see it like further broken down. But yeah, that policy ends up meaning in practice that like we don't accept money from the US government for instance and some other entities. And that just comes out of our history. We originally were providing this type of digital security support to the green movement in Iran in 2009, 2010 and then we expanded and so obviously in the Middle East it's in a lot of communities getting US government funding as a non-starter. And for the second one, for cert, I'm actually a terrible person to ask that question. Rafael, who's sitting in the front would be much better at answering how it is interacting with private certs. I don't know if you wanna like. Okay, Michael, I think your computer is on 10% or something like that. At least that's what it says. Okay, so hello. I work in Luxembourg National Cert there. So that's basically, I'm helping also, I'm trying to help civil society to have to improve our security. So it's not really a problem of the most complex part to deal with other certs is to get the trust and it's all the same problem you will have all the time in such situations. So it's not really more complicated with the cert than with any other organization. As soon as you have the trust, you're fine, yeah. Okay, number three, please. Yeah, I was in the yesterday in room number one, crypto tails from the trenches where the journalists talked a little bit about the whole issue about using crypto tools for communication and they seem to be running into a lot of the same issues that you guys are encountering when you do the work with the people out in the front. Are you connected to each other in a way? Because I like the approach that you are closing the link to the developers and I think it would be very smart that you all sort of join forces now in the next time to come because it seems to be a rather big issue to come up for many people. Yeah, I fully support that and I definitely want that to happen. It's just a little bit slow, but it definitely is happening, yeah. Okay, there's somebody at number one, please. And was that a sign or, yeah, okay. Yeah, it's not working. Talk into the mic, please. It's not working, it's working. Okay, now, thank you. Well, first of all, thank you for your great work. I think it's a tremendous help for many people and I would like to ask a question about this United States on rank two or something. You said it was mainly because they are working abroad, but do you also have, you know, questions about being targeted by Western governments and do you deal with that as well? Yeah, that's a great question and certainly. So communities that are targeted by U.S., so there's journalists, as I mentioned, more generally, lawyers dealing with topics that the U.S. government doesn't enjoy, activists. I think it's not dissimilar from the types of communities that would be targeted in the U.K. or similar. Okay, there's two more questions here and this is Germany, we're trying to keep the timetables. So we'll take a maximum of three. Go ahead. Fabio from GlobalLeaks. I want to ask you if it does happen for the kind of job that you're doing, especially on the preemptive activities that relate to the training and the post-training activity to work with, let's say, project-based initiative. What I mean, with GlobalLeaks, but probably also other software, you end up supporting a group, typically in a vulnerable society, where it's not your main job to do the digital security training, but you end up often working with people that require to have the digital security skills. And okay, we end up doing the training when it's needed, but it's not our job and what you say about the post-training critical points is exactly what we experience in several projects. So my meaning is, does it happen that when there is a project that involves civil society that needs to be planned, there are already a set of partners, you can get engaged for the training, post-training and support for everything that's related to digital security. That's a core component of a project, but maybe who is leading it doesn't have specifically that kind of preparation and especially that kind of organized stuff to do training and post-training, especially. Yeah, so if I get what your question is, we would be more than happy to support like an organization such as yours when you're doing those types of activities, if you want to coordinate beforehand, that's even better. I don't know if any organization has a full map of what they want to be doing for the next five years, so we're more than happy to provide that support as issues come up. So if it's initially localization and it's support on secure communications to talk about global leaks or the da-da-da-da-da, like we're happy to do it as it comes up, but happy to talk more later if I didn't understand your question. Okay, thank you. Last question, hang on. Folks, when you're leaving, please can you keep it quiet for the last two minutes? Go ahead. Do you have a model for letting people volunteer to provide instant handling support, similar to sort of like the Sands Storm Center where folks can be on call to provide detailed triage investigation, that sort of thing? That's a good question. If you're volunteering for a project like a secure communications tool or anonymity tool or some other project, we're more than happy to interact with you with that project. For instance, if you end up getting some type of emergency response that you don't have the capacity for, we don't currently accept volunteers for this type of work just because it's usually rather sensitive and it would require us to implement more, I guess, user control in the whole back end to be able to incorporate that at this stage, at least. Did you want to ask something before? I've seen you, but... Thank you. Keep it short. That's a good question. I just checked your website and I would be curious to know if you have been to South Korea concerning the ITU planetary session and you had this campaign... ITU, yeah. And I would be very highly appreciate if you could tell us more about was it successful? Did you achieve something during this meeting? Sure. So in addition to the technical work that we do, we also have a policy and advocacy team. So that's the ITU internet governance stuff is more on the policy team. So I can't talk to that in particular, but I'd be more than happy to connect you with the policy folks that did go to South Korea and did work on that. Okay, really last question. How do you raise your profile and reach groups? How do they come across you? And of the proactive cases in which civil society actors sought out your help, what percentage of those had previously sought help or support? So for the first one, it's through, I guess, word of mouth currently that folks hear about us and get connected and there is a benefit because there's implicit reference or referral in that. And so that helps us in the vetting process by already having one trusted partner know this organization or individual. But it is an internal discussion about how much more public we wanna make it or have contact form on the website or things like that. But that's kind of an ongoing discussion. For the preventative, that's a really good question. I would say the majority of preventative cases are probably folks that we've already interacted with who might have initially heard about work that we've done from other folks or we've done a reactive rapid response for them. But as you can kind of see in some of the stats, we're still kind of working on analyzing our statistics. So I didn't try to look at that, but I'd be happy to look at that more and be able to share it later. Okay, let's have a final hand for Michael and thank you very much for that talk.