Security training activities for NGO staff using Umbrella app

Given the safety and security issues faced by NGO staff in high-risk settings, there is a need to train NGO personel on how to handle certain issues such as kidnapping, evacuation and arrests.

If you train activists, aid workers or journalists in operational security, Umbrella can help! It’s a free, open-source security app built by security trainers.

Here are some easy activities using Umbrella that you can integrate into your next training. Before you get started, there’s some prep to do:

PREP

• Get Umbrella from Google Play, iOS Store, Amazon, F-Droid or [online web app]().

• Make sure participants have access to Umbrella, or devices, a fast internet connection, and charging cables to download it during the session.

• Review “Things to consider for trainings” from LevelUp.

1. EASY GAMES TO INTRODUCE UMBRELLA AND EXPLORE SECURITY CONCEPTS

Umbrella quiz (< 30 minutes)

GOAL: Participants learn to navigate between different security topics and guides within Umbrella. Intended to invite exploration of the app rather than test knowledge.

Works best for: - Beginners - Groups with Umbrella on multiple devices

PREP: Divide the group into two or more teams and designate a quizmaster to read the questions below. Award points for the team that calls out the answer first.

Quiz Questions

TIP: Instruct groups to open Umbrella and navigate to Information –> Managing Information –> Beginner before the first question. For the remaining questions, participants should try and find the answers before you give the location of the information in the hint.

1. How many main assessment questions should you ask yourself when threat modelling?

   Hint: Information –> Managing Information –> Beginner –> 3. Assessment questions.

   Answer: 5.

2. Read Passwords, then complete the phrase, QuaintlyFreshResilient__________.

   Hint: Information –> Passwords –> Beginner –> 3. Remembering secure passwords.

   Answer: SnowstormReworkAbnormal.

3. Read “Public key encryption” in the Glossary, then complete the phrase, bluetonic______.

   Answer: monster.

4. How many questions does Umbrella recommend you always ask yourself before you share information on social media?

   Hint: Communications –> Online Privacy –> Beginner –> 9. Think about what you share

   Answer: 5

5. Read “Security Question” in the Glossary, then complete the phrase, “Correct Battery _____ Stapler.”

   Answer: Horse.

6. How many recommended protocols are there for using satellite phones in a hostile environment?

   Hint: Communications –> Radio and Satellite Phones –> Advanced –> 3. Recommended Protocols.

   Answer: 5.

7. How many rules of counter-surveillance does Umbrella list?

   Hint: Work –> Being Followed –> Advanced –> 2. Five Rules of Counter-Surveillance

   Answer: 5.

8. One in how many people who experience severe trauma will develop post-traumatic stress disorder (PTSD)?

   Hint: Stress –> Stress –> Expert –> 1. PTSD

   Answer: 1 in 3.

9. Under Emergency Support –> Physical, Umbrella lists groups you can call in case of a physical emergency. Which group operates the 24-hour emergency support number (+353)-1-21-00-489?

   Answer: Front Line Defenders.

   Bonus discussion question: What’s a physical emergency? What’s a digital one? When would you call Front Line Defenders instead of emergency services?

10. What’s the most important piece of security advice an aid worker or human rights defender can be given?

    Hint: Search Umbrella for “most important” (without quotes)

    Answer: Always wear a seatbelt. (Under Travel –> Vehicles –> Beginner –> 2. Driving Guidelines)

    Bonus discussion question: Do you agree that this advice is the most important?

Always/Never (30-60 minutes)

GOAL: Practice threat modelling; analyze risks vs. benefits; establish that there is often no single authority on security issues.

Works best for: Any level, including groups with limited devices with Umbrella

TIP: Choose from our list of possible questions (see below), or create your own in advance or with the group. Review Spectrogram activity from Aspiration Facilitation Wiki for more ideas.

PREP: Write the words “Always” and “Never” on opposite ends of a black/white board, or on two sheets of paper that you place on the floor at opposite sides of the room. Participants will move around and line up between the words, so clear space.

Demo round:

• Read the question, “Would you use your real name on social media?”

• Ask who would answer “Yes” (or select a volunteer to pretend). Stand one person beside the word “Always”.

• Ask who would answer “no” (or select a volunteer to pretend). Stand one person beside the word Never.

• Ask who falls between the two extremes. Invite another volunteer to position themselves on the spectrum (ie. sometimes = closer to always; rarely = closer to never). Can they say why?

• Ask one person to choose and read aloud a relevant passage from Umbrella, Communications –> Online Privacy –> Beginner –> 8. Take care registering.

  TIP: Allow those standing to sit back down or move chairs to their position if appropriate for age/mobility/energy levels.

• After reading the relevant information, have everyone in the game stand and take a position between Always and Never in answer to the same question. (Let volunteers reposition themselves if they choose.) If there is interest/debate, invite one or two people to explain why they took their position.

• Sit everyone down. Explain that when you play again, everyone will stand and take a position between Always and Never before you review the Umbrella chapter. Then you will review Umbrella as a group and allow everyone to discuss and reconsider their position if they chose.

  TIP: Warn that Umbrella does NOT give definitive answers to these questions, just context in which to consider them. The game is risk vs benefit, not right and wrong.

To play:

Debate 2-3 questions total, and call on a few participants to articulate their position each time.

TIP: If everyone clusters around one opinion, try assigning different risk profiles (e.g. anonymous source in presidential corruption probe/ receptionist at NGO head office). Or ask: Would you stand somewhere different if you were a different gender/religion/ethnicity? What would move you from where you are now to Always or Never? Would you answer differently if you were based in, or travelling to, Iceland? What about the United States? Brazil or India? Russia? Ethiopia? China? Why?

Possible Questions (beginner —> advanced)

• “Would you use Skype for sensitive calls?”

  Read: Communications –> Making a call –> Beginner –> 1. Less Secure Options.

• “Would you register your phone with your service provider?”

  Read: Communications –> Mobile Phones –> Beginner –> 3. General precautions.

• “Would you register your actual accommodation on a visa entry form?”

  Read: Travel –> Borders –> Beginner –> 3. At The Border.

• “Would you carry an official card issued by your organisation on a work trip?”

  Read: Travel –> Preparation –> Beginner –> 3. Key Documents.

• “Would you monitor the location of a colleague’s vehicle using GPS tracking?”

  Read: Communications –> Radio and Satellite Phones –> Beginner –> 4. Capabilities.

• “Would you root or jailbreak your smartphone?”

  Read: Communications –> Mobile Phones –> Expert –> 1. Get Full Access To Your Smartphone.

• “Would you destroy your phone if you were about to get arrested?”

  Read: Work –> Protests –> Advanced –> 1. At the Protest, 2. Prepare Your Phone, 3. Ripple, and 4. Mobile Phones.

• “Would you store your private key on a mobile device?”

  Read: Communications –> Email –> Advanced –> 1. What is PGP?, 2. Public Key Encryption, 3. Using PGP?, 4. What PGP Can’t Do: MetaData and 5. Sharing your Public PGP Key?.

2. STANDALONE SCENARIOS USING UMBRELLA

TIP: Match scenarios as closely as possible to the real-world needs of participants. If details about these haven’t emerged already during training, solicit with questions like “What are the situations where we might put a source or contact at risk?” or “When are our staff most exposed to danger?”

Meet a contact (50-75 minutes)

GOAL: Participants use the information in the Meetings chapter of Umbrella to plan and conduct a sensitive meeting.

TIP: Time this activity with a lunch or coffee break and encourage participants to pick up food or drink at the meeting point. (Don’t forget to clearly state return time.)

• Review Umbrella chapter Work –> Meetings as a group. Instruct participants to complete the Meetings checklist at the end of the chapter during the activity. (5-10 minutes)

  TIP: Add and delete any item to adapt your own checklist.

  Bonus chapter: Work –> Being Followed.

• Divide the group in pairs or groups of three. In each group, designate one or two staffers and one high-risk contact and establish a scenario for the meeting (e.g journalist/source, NGO/HRD). (5 minutes)

• Participants prepare and carry out their meetings, selecting a suitable location using the internet or local knowledge. (30-45 minutes)

  TIP: Test out Umbrella’s counter-surveillance features. Go to Account in the navigation menu, then select Enable Mask to disguise the app.

• On return, compare checklists to debrief. Which items were a challenge to complete — can you revise them to make them easier to act on? Brainstorm new checklist items to add for next time. (10-15 minutes)

  TIP: Checklists you’ve started appear under Checklists (select from the navigation menu). Participants with Umbrella on their own devices can easily refer to their own list and the percentage completed whenever they need to.

Let us know how it went! (info@secfirst.org)

Plan a trip (70-105 minutes)

GOAL: Participants use the information in the Travel chapters to plan a secure mission to a high risk area.

• Divide the group into pairs or small groups and designate managers and staffers in each one. Instruct groups to choose a location for their trip and write out a scenario—the more detailed, the better. What is the aim of the mission? What are the possible obstacles? Who is the adversary? Invite groups to share their scenario with the room. (10-15 minutes)

• Groups should read the Umbrella chapter Travel –> Preparation and review the related checklist for their mission. Which item seems like the hardest to complete, and what would make it easier? (10-15 minutes)

  Bonus chapters: Travel –> Borders ; Travel –> Vehicles ; Travel –> Checkpoints ; Travel –> Protective Equipment ; Incident Response –> Kidnapping.

• Instruct participants to research security risks in their chosen location. (10-15 minutes)

  TIP: Receive security news in Umbrella via Feeds (select from the navigation menu). Input Location, Security Feed sources, and set how often you’d like Umbrella to check for new alerts (Interval). We don’t track or share your location. You can also add RSS feeds.

• Instruct participants to complete or review the Travel Security Memo under Forms as if preparing for their trip. (Only use real information on a participant’s own device if appropriate to share with other group members). (10-15 minutes)

  TIP: Where information is unknown, add a research item to the checklist eg. check location visa requirements and processing times for X nationality.

• Each group is now familiar with Umbrella checklists, feeds, and forms. Ask if these three things cover everything needed in a travel plan. What’s missing? What other internal or external factors will you need to consider (eg. budget). Note additional needs on paper, or add items to Umbrella checklists as needed. (10-15 minutes)

• Invite participants to compare travel plans with another group. What could go wrong that you haven’t thought of? Red team plans from the perspective of the adversary. How would you disrupt this plan? (10-15 minutes)

• Discuss how to protect travel plans and security protocols from the adversary. (10-15 minutes)

  TIP: Encrypt Umbrella by adding a strong password under Account –> Set password. (We can’t view or share your data, either)

  Bonus chapter: Information –> Passwords.