In October 2019, student protests ignited in Chile, the first was in response to an increase in transport fares in the capital. The movement rapidly gained momentum. It was a revolt against increasingly extreme inequalities, privatisation and neo-liberalism. Government repression was not long in coming: a state of emergency, curfews, internet shutdowns, censorship on social networks, police repression. With Take Back the Tech! it was at this time that we planned a Feminist Learning Circle on the issue of digital security risk assessment. Given the situation, and since our trainer, Paola Mosso from the Engine Room, is Chilean, we had to postpone our webinar.
We rescheduled our Learning Circle to a month later. Registrations were pouring in. The Chilean situation was far from being an isolated case. In a context of global uprisings, increased surveillance of our devices and movements, our webinar was on-spot for activists from around the world. How can we make our campaigns safer? How can we protect ourselves adequately? What about our data? Where do we start?
On November 21, 2019, Paola Mosso and Barbara Paes from Engine Room shared their knowledge on risk assessment. If you're not familiar with the Engine Room, it's an international organisation that supports activists and organisations with data and technology for social change.
Why do a risk assessment?
The risks we face as activists vary according to our contexts and the type of work we do. Risks can range from surveillance to physical attacks to imprisonment or stigmatisation. That's why there is not ONE harm reduction strategy, or ONE strategy that protects everyone equally. People are affected differently depending on their context and where they find themselves at the intersection of oppressions. The risks are different for a white activist in North America than for a queer activist in Uganda or a feminist activist in Chile, for example.
As Paola and Barbara told us, risk assessment is done to "help us reduce threats and thus mitigate the consequences of a potential attack. Doing a risk assessment, or thinking about potential risks, can be frightening or scary. But in reality, as Paola and Barbara said, just thinking about it and starting the process is one way to reduce the risks. It allows us to better target our forces (current capabilities) and security needs (required capabilities): it gives us strength. To do this, they shared with us some tools for personal and organisational analysis. In this post, I will try to put the first one into practice with fictitious examples.
The Risk Formula
From the Workbook on Security: Practical Steps for Human Rights Defenders at Risk
The above formula is a tool that helps us better identify our security needs.
Basically, we can learn how to reduce risks by identifying:
- threats that concern us: "declaration or indication of an intention to inflict damage, punish or hurt (recent or immediate)"
- our vulnerabilities: "any factor which makes it more likely for harm to materialise or result in greater damage"
and by knowing and strengthening:
- our capacities: "any resource (including abilities and contacts) which improve security". In other words, the actions that can be taken.
So let me take a fictional example: activists will soon launch a national online campaign against sexual harassment on public transport. Some of the organisers are very well known to the public (Vulnerability) and have been the target of online threats in the past, this could happen again (Risk). Fortunately, activists have a strong support network both online and offline (Current Capacity). To further reduce the risk of an online gender-based attack, activists can research themselves online, check the information they find, and change their social networking settings for greater privacy or anonymity (Required Capacities).
Excerpt from Paola and Barbara's presentation
With such an example, one might ask how different contexts would affect these 4 elements. If one of the activists is trans, does she face any other risks given her specific reality? If this campaign is launched in Delhi or London, what difference does it make to activists? If activists organise independently without support from large or established groups, how would the risks and capacities be affected? All of these questions remind us how a risk assessment is always contextual. We are the first to know our context, and therefore the main ones to know how to act and protect ourselves within it.
At Take Back The Tech! we developed a card game, an interactive and fun exercise that can be used as an introduction to risk assessment. The TBTT game is a role-playing game based on different scenarios of online gender-based violence and aims to develop strategies to respond and protect oneself.
In short, doing a risk assessment may seem like a dizzying step, but it is basically the best way to regain power over our fears and insecurities.