About the DSX
- Our approach
- Who makes up the “Exchange”
- How we’ve helped
- Privacy, security, transparency, and accuracy
- How we vet providers
- Technology
- Our origins
- Who we are
- FAQ
The Digital Security Exchange, or DSX, works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. It is the U.S. implementation of the Center for Digital Resilience.
The DSX is a facilitator, not a provider. We work alongside organizations to assess their risks and identify their digital security needs. Meanwhile, we also receive requests from digital security experts offering their help. When possible, we connect organizations to experts to help address specific risks and vulnerabilities.
The digital security providers in our network are trusted trainers, analysts, and technologists working with civil society and human rights organizations in the U.S. and around the world.
We will not work with, and reserve the right to refuse service to, anyone who espouses an agenda of hatred or division or who is not otherwise committed to the values set forth above.
While we are open to working with a broad spectrum of organizations, we focus on “intermediaries”: Legal aid providers, rights advocates, social service groups, and grassroots organizers working on progressive issues including, women’s rights, reproductive justice, domestic violence, immigrant rights, human rights, climate change, and journalism/media.
Organizations around the country are often aware that they need some kind of digital security help, but they may not know what kind of help, or where to turn. We’re focused on building a sustainable, scalable approach to bridging that gap.
Our approach
After making contact with organizations seeking assistance, the DSX team (including founder/director Josh Levy and teammates including Tiffany Robertson of Guardian Project/Okthanks) provides a complimentary security assessment of organizations and then facilitates a connection to digital security providers from within the network who can help. Based on that assessment, we connect organizations to providers who can help.
A few principles guide this process, including:
We are advocates for organizations in need of digital security assistance. We see ourselves as case workers. As such, we work with organizations to assess their risks and, based on that assessment, we connect them with the appropriate providers, all while making sure that each party is getting what they need out of the engagement.
Whenever possible, we refer organizations to providers within their communities as a first response. We believe that the digital security providers who are already working within their own communities and are best equipped to meet the needs of those communities. We are here as a technical assistance and knowledge source, for those seeking additional support.
We seek out, listen to, and partner with digital security providers from across many different contexts in order to inform and shape our work. We prioritize working with those who have worked with or within civil society and the social sector, and who understand the needs, environment, and culture of these groups.
Who makes up the “Exchange”
Communities the DSX has served include:
- Women’s and Reproductive Rights
- Human Rights
- Domestic Violence
- Refugees and Immigration
- Environmental Organizations
- Legal Aid
- Funding and Policy Organizations
Providers in our network include established digital security and training organizations and trusted individual providers with experience working with human rights and civil society organizations around the world. Go here to view some of the providers within the DSX network.
Areas of assistance the DSX and our providers have expertise in include:
- Analysis: Threat Modeling, Best Practice Review
- Internal Process: Security Policy Development
- Securing Systems: Secure Collaboration Tools, Securing Infrastructure and Hardware
- Reporting: Journalism, Research, and Safe Protests
- Digital: Circumvention Tools, Protection of Online Privacy
- Development: App and Web Development
How we’ve helped
Below are a few case studies to illustrated the DSX’s work with organizations and providers.
Case 1: An organization working with journalists needed assistance training their team on securing their networks, reporting safely, and protecting themselves from harassment.
Areas of Assistance the Provider gave:
- Journalism and Safe Reporting
- Education/Training
- Security for Protests
Case 2: An immigration hotline delivers tips and physical assistance to callers. They needed assistance creating secure channels of communication and response protocols.
Areas of Assistance the Provider gave:
- Securing Data
- Securing Communication
- Threat modeling
- Securing Hardware
Case 3: A grant-making foundation sends and receives many attachments within their application process. These attachments are full of sensitive, identifiable information. They needed help finding a better way to send and receive attachments.
Areas of Assistance the Provider gave:
- Using Secure Collaboration Tools
- Best Practice Review
- Policy Writing
Privacy, security, transparency, and accuracy
We retain as little data as possible about our interactions with organizations and providers, and we prioritize keeping the information we do have safe, secure, anonymous, and free from attack. In some cases we will develop simple and secure records of organizations and providers in order to ensure the highest quality of service. In other cases, we will will retain no data at all. Organizations and providers can request that we retain zero data about our interactions, and we are developing secure and anonymous forms of intake and communications. More information about DSX’s privacy policy and approach to user security can be found here.
How we vet providers
We only match organizations with providers we trust and who have been vetted to work collaboratively within relevant communities; whose values align with our own; have worked previously with our staff, Advisory Committee members, and/or other DSX providers; and who have demonstrated expertise in customized approaches to digital security. In addition, we require that providers have harmonious data retention policies to those of DSX and agree to provide a minimum level of committed action and to participate in learning and feedback sessions with DSX.
Technology
We believe in using technology that is free software/open source, because we can never fully verify the integrity of proprietary code – if malware exists in open source software, we can find it. In addition, we believe in the participatory philosophy of free software projects, including our own, which we encourage others to contribute to, to audit, and to use.
The DSX website is built using Jekyll, the static website engine. This increases security and helps us maintain a simple site. All of our assets (except the DSX theme) are licensed under free software licenses and are freely available for use by similar projects. You can find our codebase on GitHub.
Our origins
The Digital Security Exchange concept was first developed by Josh Levy after the U.S. presidential election in November 2016. It was a response to the increased demand for digital security capacity from U.S. activist groups, journalists, and social service organizations – all of whom knew they needed to increase their security levels but didn’t know who to turn to for help.
In March 2017, after pulling together an initial working group and socializing and evolving the DSX concept, the project received a generous donation from an anonymous donor, providing crucial startup support. Soon after, the Internet Systems Consortium agreed to be be the project’s fiscal sponsor, a role it served through July 2018. The DSX is now a community of Center for Digital Resilience (CDR), which is also its current fiscal sponsor (Levy is also technology director and a co-founder of CDR).
The project has received support from the Mozilla Foundation, Omidyar Network Fund, and Small Media Foundation. We are also grateful to Stanford’s Digital Civil Society Lab, which provided crucial early support.
Who we are
Staff:
Josh Levy, Founder and Director
Josh is a digital strategist, technologist, and rights advocate. For more than a decade - including as advocacy director at Access Now and campaign director at Free Press - he’s helped lead global efforts to protect free expression online, fight for privacy and the right to encryption, secure strong open internet rules, reign in overreaching government surveillance, and otherwise protect the rights of at-risk internet users. He’s also co-founder of the Center for Digital Resilience and a non-resident fellow at Stanford’s Digital Civil Society Lab.
Ingrid Skoog, CDR Security Director
Ingrid translates complex security and privacy concepts into actionable measures people can understand and apply to their daily lives. Prior to joining CDR, Ingrid built a privacy program for a global for-profit organization creating policy and ensuring regulatory compliance. She’s served on the Harvard University Committee on the Use of Human Subjects and advised researchers there on security risks. Ingrid also spent over a decade supporting various branches of the US Government in a variety of technical roles.
Tiffany Robertson, Project Manager
Tiffany is the community ambassador and quality assurance gal at Okthanks, a design firm focused on bridging the gap between users and product teams and specializing in human-centered design, clear brand messaging, and usable security products. She has a degree in Peace and Justice from the Joan B. Kroc Institute for Peace and Justice at the University of San Diego and enjoys learning about all aspects of empowering and protecting lives.
Advisory committee:
Nathan Freitas leads the Guardian Project, an open-source mobile security software project, and directs technology strategy and training at the Tibet Action Institute.
Sara Haghdoosti founded Berim.org, an organization focused on supporting Iranian changemakers. She is also a campaigns expert that has worked with groups such as Mozilla, Change.org, GetUp and others.
Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press Foundation. Harlo is a media scholar, software programmer, and activist and contributes regularly to the open source mobile security collective The Guardian Project.
Holly Kilroy is Communities Director of Center for Digital Resilience and is co-founder of Security First. She has spent the past ten years building projects that leverage technology and civil society coordination to address issues of human rights and conflict.
Matt Mitchell is a hacker and the Director of Digital Safety & Privacy, at Tactical Tech (also known as the Tactical Technology Collective). In his work there Matt leads security training efforts, curricula, and organizational security for the organization in their mission to raise awareness about privacy, provide tools for digital security, and mobilize people to turn information into action. Matt is a well known security researcher, operational security trainer, and data journalist who founded & leads CryptoHarlem, impromptu workshops teaching basic cryptography tools to the predominately African American community in upper Manhattan. Contact info can be found here.
Soraya Okuda is a designer passionate about education, usable security, and media production. She manages EFF’s Security Education Companion (sec.eff.org), and is excited to support efforts in privacy, conveying technical concepts to beginners, and creating accessible materials for targeted and under-resourced groups. Previously, she was an English teacher to elementary school students, and was the development director for a nonprofit operating a secondary school. She has a B.A. in International Relations and a M.Ed. in Technology, Innovation, and Education.
Bruce Schneier, internationally renowned security technologist, fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org; and a special advisor to IBM Security and the Chief Technology Officer at IBM Resilient.
Jamie Tomasello, Senior Manager, Security Operations at Duo Security. Previously, Jamie has been the Technology Director for Access Now and Head of Policy and Investigation at Cloudflare, and is a Certified Information Privacy Professional (CIPP) and Certified Information Privacy Technologist (CIPT).
Ethan Zuckerman, director of the Center for Civic Media at MIT, and an Associate Professor of the Practice at the MIT Media Lab.
FAQ
Why should I be worried about digital security if I’m not working with the government, providing any online services, etc.?
Most civil society organizations, non-profits, journalistic organizations, etc. have a wealth of sensitive information about their donors and served populations that is accessed from a variety of devices and locations by their staff, board, and volunteers. These days most hacks happen due to opportunity, not necessarily a targeted malicious attack. We work under the premise that every organization will have their digital security tested for vulnerabilities and it is less costly to address these vulnerabilities before a serious threat.
How do I know what level of access or interaction with DSX and its providers I need?
DSX will assess your initial communication with us and follow-up with further assessment to evaluate your current situation and mutually determine what your needs and resources are to make the appropriate match with a provider.
What if I don’t like/agree with the approach proposed by the provider?
Your provider will propose a plan to you before you start actively working together. You are encouraged to ask questions, consult with other external and internal partners, and finalize an approach that works for all parties.
What if the recommended approach doesn’t work? Or I implemented the recommended approach but we still got hacked/lost data, etc.
We trust that our providers are experts in the field and with your particular context and have recommended the best plan to mitigate risks and threats. Should the recommended approach fail to mitigate risks we would evaluate the plan, execution, and the resulting action for the best path forward.
There may also be the situation that the recommended approach as provided and executed was the correct one for your organization and worked but that there were new threats that arose in the interim that could not be predicted.
What if our organization has a conflict with the provider? We strive to make the best match between your organization and the provider. If there is a conflict that arises that you are unable to resolve, please reach out to us and we will work with you to make it better.
How much money and commitment will this take? We can’t quote a price or timeframe as every organization has a different security and risk profile. However, there are various factors that will determine cost and time, such as your imminent risk, how much importance you place on securing your networks, involvement by your board, etc.
I notice you provide your PGP fingerprint and a Signal number. What are they and why do you use them? PGP stands for “Pretty Good Privacy” and is an encryption protocol that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. We use it to conduct private and secure conversations over email and to encrypt data submitted through our organizational and provider intake forms.
Signal is an encrypted communications application for iOS, Android, Mac, Windows, and Linux. It uses mobile phone numbers as identifiers, and uses its trusted protocol to enable end-to-end encryption for communications with other Signal users.
We encourage you to contact us via encrypted email or Signal, but we don’t require it. No matter how you contact us, your identity will remain private and we won’t store any data we don’t need to help us assist you. For me information on our data security and retention policies, go here.