Afghanistan Digital Care Guide - English

رهنمایی مصونیت دیجیتالی افغانستان به دری  |  په پښتو د افغانستان لپاره د ډیجیتالي مصونیت لارښود

Download full guide as PDF: digital-only version | printable version

Care is Resistance  
"Caring for myself is not an indulgence, it is self-preservation and that is an act of political warfare" (Audre Lorde) 
Taking care of your device and data is not only to protect yourself, but also your whole community.
Journalists, media workers, and activists run the risk of their lives, in case, online and other data, apps, and/or contacts are being used as evidence against them or someone linked to them. Access to this data, apps etc. might be gained. The following scenarios might occur:

  • Confiscation of, and access to phones, tablets, computers, smart watches, and other storage devices (USBs, external hard drives, etc.) during raids, searches, detention, at check-points etc.
  • Surveillance of digital communication and online connections
  • Digital attacks on devices and accounts
  • Open Source Intelligence: research on publicly available platforms like Facebook or Wikipedia

Being aware, that not all risks can be prevented, certain steps such as having less data on our devices, using secure channels of communication and securing our devices can reduce the likelihood or impact of, that data or apps being turned into evidence. At the same time, some of these secure practices can turn into risks, if secure apps would be detected and framed as indicators of being linked to the wrong actors (e.g. international community or alike).

 Risk Prevention steps  Response steps  Remarks 

Confiscation of and access to phones, tablets, computers and smart watches during raids, searches, detention and checkpoints etc.
 
  • Reducing data on our devices to the bare and inconspicuous but realistic minimum
  • Securing data on our device
  • Securing devices
  • Creating encrypted backups of all data
 
 
  • Not giving access to the devices
  • Remotely wiping devices or automatic wiping of devices on failed login-attempts
  • Informing affected people
  • Recovering data and accounts
 
 
  • Important decision: Will you give access to your devices under pressure?
  • Consider, if encrypted backups or other encrypted files and folders could trigger attention and pose an additional risk for you?
 
Surveillance of digital communication and online connections (by authorities, their allies, internet service providers, telecommunication companies)
  • Securing online accounts
  • Using secure online services (end-to-end encrypted messengers, online storage, searches, video conferences, etc.)
  • Securing our internet access through VPN or alike
  • Document the surveillance if possible
  • Activate mechanisms of abuse protection of the service providers
  • Backup and deactivate the affected accounts
  • Secure apps and channels like VPNs might trigger attention themselves and might be risky to use
Digital attacks on devices and accounts (spyware and hacking attacks and planting of evidence by authorities and their allies, criminals)
  • Securing devices
  • Securing online accounts
  • Updating of firmware and software
  • Refusing contact requests by unknown persons through social media
  • Document attacks and all evidence
  • Take the attacked device offline
  • Recover accounts via the provider or emergency helplines
  • Enable 2-Factor-Authentication on regained accounts
 
Open Source Intelligence (OSINT): research on publicly available platforms like Facebook or Wikipedia
  • Reducing digital footprint by removing information or requesting the removal of information from online platforms
  • Trying to remove evidence from online platforms
  • Be aware that a lot of online information cannot be removed completely and if done then only with delays due to distributed backups and platforms like the way-back-machine and other internet archiving services.

1. Emergency hotlines for digital emergencies

If you are a journalist, activist, or civil society member who needs emergency assistance, Access Now’s Helpline provides 24/7 digital security support. Please note: The Helpline team does not speak local Afghan languages.

More Options:

2. Prepare for digital emergencies, detention and check-points: make a plan

To build online safety, determine what threats you face and which of your online activities might put you at risk — your threat model. This first look at digital security: https://www.accessnow.org/first-look-at-digital-security/ can help you get started in answering those questions. When thinking about risks, please keep the following in mind:

2.1 Make a plan for the possibility that you or someone you know could be detained by authorities. Take a look at this guide: https://digitalfirstaid.org/en/arrested/ by RaReNet and CiviCERT — which includes digital security precautions — for more. There is also the Coping-with-Prison-Guide: https://coping-with-prison.org which includes tips for families, supporters and lawyers of detained persons.

2.2 At checkpoints and during raids, be prepared that authorities could confiscate or force you to unlock your device. Do not take your phone with you when going out. Or take a phone, which has no sensitive data like contacts or alike with you. Minimize the amount of data you save on your devices, especially on mobile ones.

  • The golden rule is: if in doubt, delete! No information is worth risking your life or to putting friends at risk. (Tips below on how to delete content and accounts.)
  • Make up your mind, if you would give access to your devices or not. It is not an easy decision, but good to think about it before it happens. Be aware, that fingerprint or Face-ID can be easily unlocked by force, if you are present. On iOS there is the emergency option to switch from FaceID or Fingerprint to passcodes by pressing the power button several times (older iPhones) or by initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds (newer iPhones). Make yourself used to this option, if you might need to use it.

Apps that can pose security risks, for you or others:

  • Address & Contact List
  • Messenger Apps
  • Facebook Account
  • Twitter or other Social Media Accounts
  • Emails
  • Notes & voice notes
  • Photos
  • Search and Web history
  • Youtube videos you have watched / Google account
  • Documents you have stored on your laptop or phone
  • VPN Apps
  • Google/Apple Maps data and location history (significant locations for Apple, location history for Google)
  • Calendar App may contain sensitive entries as well
  • Music Apps (some music might be taken as "politically or religiously inappropriate")
  • Dating Apps

Be aware, that you need to clean the bin of deleted items and that a thorough forensic analysis might bring back traces of these deleted contents.

In case you want to delete everything from your phone: keep at least some personal images to show the use of the phone.

2.3  Change contacts in your address book into Dari or Pashtu language and spelling and check if you need to remove international numbers.

  • Your address book, messenger contacts and chat histories should not contain foreign-sounding names or addresses.
  • If you need to preserve a list with those addresses, do not keep them on your phone or laptop! Send them to yourself on an email account that is not your primary address. Do not save the password for that account on your phone or laptop and do not leave a reference of this email on your device (e.g. if sending an email from your primary email account to your other email address, the email is still in the sent-folder).
  • Delete any harmful emails from your Inbox, Archive, Sent, and Draft folders. Make sure to clear the bin after deleting the emails

2.4 For messengers and other online-groups: Activate several admins beforehand for each chat group, so several people/admins can actually do a kick-out of a member contact if needed (e.g. if someone's phone gets confiscated).

2.5 Don’t respond to contact requests via social media, if they don’t come via friends or trusted channels. There are cases, the T. "dressed" as foreign journalists, requested interviews and, afterwards abused the information and tracked the victim down.

2.6 Create functional email addresses instead of personalized ones, so not to contain names or alike, which could identify you.

3. Special advice for women journalists

If you are identified as a woman, you may face unique digital security threats. Check out this guide: https://digitalrightsfoundation.pk/wp-content/uploads/2017/11/Hamara-Internet-Guidebook-English-Version-2016.pdf from the Digital Rights Foundation for tips; they also provide services in Pashto: https://digitalrightsfoundation.pk/services/ 

For women facing abuse, there is an online safety guide by Chayn (https://www.chayn.co/) in several languages below.

4. Secure your online accounts, phone, tablet & computer

4.1 Require passwords to unlock your phone and computer, and enable full-disk encryption (if you think, this might trigger attention if your device is searched, have a story ready to justify or just secure your data on the laptop securely. Turn the device off if left unattended and when going through a security check. See point 2, if you will be willing to share your passwords or access to your devices or not.

4.2 Use an end-to-end encrypted messaging app, like WhatsApp: https://whatsapp.com or Signal:  https://signal.org or Wire: https://wire.com for texting and enable disappearing messages and/or clear chats regularly. Be aware, that apps like Signal or Wire, which are not so frequently used or only used by “international” non-governmental organizations (INGOS) or “NGO people” might trigger attention, although they might be as such safer than Whatsapp. An alternative to Signal for Android is a Signal-based messenger, called Molly, which might not trigger attention: https://molly.im/

4.3 Check the security settings on your accounts. See whether you have missed any important action items, and set up security alerts. If possible enable 2-Factor-Authentication (2FA) using an authentication app like freeOTP: https://freeotp.github.io/ or Aegis for Android (as it has a lock with password feature): https://getaegis.app/ and Raivo for iOS: https://apps.apple.com/us/app/raivo-otp/id1459042137

4.4 If you want to change your phone or phone number due to anonymity reasons, be aware, that you always need to change both the phone AND the SIM-card. As both identify separately but at the same time to the phone towers (SIM-card number plus IMEI-Number of the phone), changing only one of them won’t suffice because, the other one still identifies you!

5. Delete your digital history and minimize your online footprint

It’s uncertain if and to what extent Taliban forces are currently surveilling people, notably human rights defenders and journalists, online. The situation is developing quickly, and it could be helpful to delete online information (https://news.trust.org/item/20210817111442-4d73x) that may hurt your online safety in Afghanistan. Following is some guidance from WIRED: https://www.wired.com/story/how-to-clean-up-your-digital-history/ and Human Rights First: https://www.humanrightsfirst.org/sites/default/files/How%20to%20delete%20your%20history_updated.pdf; Farsi version here: https://twitter.com/dooley_dooley/status/1427223031429181441

Attention:

1. Be careful about giving personal information to third-party services.
2. Some platforms have data retention policies that archive accounts for law enforcement.
3. Your deleted data may still be retained locally on your laptop or phone.

5.1  How to delete selected content, like photos and posts and secure use

A general short guide in Farsi: https://twitter.com/dooley_dooley/status/1427223031429181441 and for Facebook: https://www.facebook.com/help/261211860580476/ 

  • The Taliban have an active presence on Facebook and may use FB to identify who is openly opposed to them, who works with foreigners, and who has resources that might be exploited.
  • Facebook has launched a one-click-tool to quickly lock down their account. When their profile is locked, people who aren’t their friends can’t download or share their profile photo or see posts on their timeline: https://twitter.com/ngleicher/status/1428474008295464965
  • Create a ‘local’ account with only local friends that you keep on your phone app to avoid being associated with your international contacts. Keep your account as generic as possible, no political or religious content. Use a generic photo as profile picture, you might want to use a pseudonym. Be aware, that if you bind your new account to a phone number, your account might become traceable through the phone number!
  • Make sure the “about” section of your account is not visible to the public. Do not add any job history to your account. Make sure your previous affiliations with any foreign entity including your job history is not visible on your account.
  • If you want to keep your ‘international account,’ only log on to it when you are in the safety of your home. Do not store the password on your phone or your laptop.
  • Check your Facebook posts (delete ANYTHING that is potentially objectionable), your friends’ list (delete anybody who may raise suspicion, especially if foreign), and check what groups and pages you have liked in the past.
  • Check your Facebook photos, especially profile and cover photos. Check the settings of all these photos, including the old photos, and make sure these photos are not visible to the public and only your trusted friends can view them. If you have any “questionable” photos, delete them.
  • Restrict who can see your friend lists (and ask all friends to do the same). This can be done in Settings:  “How People find and contact you" - “Who can see your friends list?” - “Only me.”
  • Do not tag fellow Afghans in Facebook
  • Disable the functionality that others can tag you in photos: https://www.hongkiat.com/blog/prevent-facebook-tagging/amp/

Review posts and photos that people, including your friends, have tagged you in the past, and if “problematic”, remove the tags.

Twitter: https://www.businessinsider.com/how-to-delete-old-tweets-from-twitter-2018-12

  • Similar rules (as for Facebook) apply for twitter or other social media accounts. Review your list of whom you follow, and unfollow anyone or delete any tweets that could be objected to by the Taliban.
  • Make sure you have not activated “tweet with location” in your Twitter setting. If you have, disable
  • Wikipedia: If you find information on Wikipedia or other Wikimedia projects that could cause harm to you or other people in Afghanistan, please email ca@wikimedia.org and put AFG in the subject line. Review your friends’ profile pictures and cover photos. If any of them has a “questionable” photo (for example: showing a flag or a banner that could be considered Anti-Taliban), ask them to change their it. If in doubt, delete this contact.

5.2  How to delete entire accounts

5.3  How to deal with photos

  • Make sure you review all of the photos you keep on your phone to make sure that there are no "objectionable" photos (such as of you with an American flag, you with foreigners, or of women without hijab or your family abroad).
  • If in doubt, delete! It is understandably hard for you to delete photos that mean something to you, but remember they could potentially put you or others at risk.
  • If you want to keep them, store them in the cloud, which does not use your main account, under a name and password that is not recorded anywhere, and delete them from your phone. See for example: What is and how to use Google Drive (English Video with Persian subtitle): https://youtu.be/EbVnObwFJic
  • There are some apps that allow you to keep photos hidden behind a ‘decoy’ folder or that pretend to be another app (such as Secret Calculator or Private Photo Vault), but remember this is not safe because other people know about these types of apps, too.

5.4 Online searches – Google – Youtube

Before browsing websites that could be seen as Anti-Taliban:

  • Enable the private browsing mode in your browser
  • If possible do not accept cookies
  • Do not save bookmarks
  • Do not save login data or passwords
  • Do not login to websites with Google or Facebook or connect them to a third party website account

In general:

  •  Try to use browsers (like Mozilla Firefox) that protect your privacy and enable additional privacy settings
  • Make sure to build a history of “safe” websites you visited (i.e. do not always surf in privacy mode). Your computer should show some entries so that no one will get suspicious.
  • Make sure you are not logged in to browsers such as Firefox or Google Chrome (for example, make sure you are not logged in to Chrome browser with your Google/Gmail account). If you browse the internet while logged in to your account, your account will keep a record of all your activities.

Remove sensitive search results:

Request removal of actual site content: Removing the search result does not remove the content. You will have to work with the owner of each site to remove your information from that site.

On Youtube & Google:

  • Remember that if you search youtube videos, this may show on your google account on your phone (the two accounts are usually linked)

This “self-doxing” guide: https://guides.accessnow.org/self-doxing.html might also be useful for understanding how much information about you is publicly available and minimizing things that can put you at risk, especially for activists who are detained and questioned about their views. You could be newly targeted for things you’ve posted, or based on your networks: https://twitter.com/BBCWomansHour/status/1427287851016798213

If you discovered particularly sensitive information on a site, and you’ve been able to remove it from the site, also enter the URL of the specific page where the information was on https://archive.org/web/

If there is an archived copy there, please contact help@accessnow.org for support.

6. What to do if you lost your device

If that happens, it’s important to act quickly to lessen the risk of someone else accessing your accounts, contacts, and personal information.

Check out this Digital First Aid guide: https://digitalfirstaid.org/en/topics/lost-device/ to learn how to assess your risk, and what to do next.

6.1 If possible, lock and wipe the phone remotely

6.2  Kick the number of the lost phone out of all social media groups (to prevent that the person finding the phone might gain access to those social media groups). For this, activate several admins beforehand for each chat, so several people/admins can actually do this kick-out

  • WhatsApp
  • Signal
  • Telegram

6.3  Change all passwords for all accounts affected (including for their reset/recovery email addresses) and enable 2-Factor-Authentication on these accounts where possible.

6.4 Inform your contacts about the loss of the phone and the risk that your contacts might be abused by the person finding and accessing your phone.

7. Recover your account

Most social media platforms, email services, and other sites have resources to help you recover your account. Major platforms also typically have ways to report any unusual account activities. We’ve listed several guides below. And also check out this first-aid guide: https://digitalfirstaid.org/en/topics/account-access-issues

8. VPNs: protecting against spying, attacks & censorship

VPNs build an encrypted tunnel between your device and the exit provided through the VPN. So it can not only access websites etc, which might be blocked and censored, but protect your surfing and traffic from being surveilled.

  • If you are already using a VPN, continue with the same one, but check, if it is working properly. If you don't use a VPN so far, it might draw attention to you! Check out, which VPNs are mostly used to hide well in the crowd.
  •  All of this only helps if you download these tools before censorship or network shutdowns happen. Your use of these tools can often be detected by your Internet provider, and show up as installed apps visible to anyone looking at your unlocked phone.

VPNs with good anti-censorship track records:

  • Mullvad: https://mullvad.net/en/download/ (Windows, MacOSX, Linux, iOS, Android) €5 per month; free licenses available from helplines like help@accessnow.org, anonymous purchasing method without sign-up and also accepts cash and crypt.
  • VPNGate: https://www.vpngate.net/ (Windows, MacOSX, Linux, iOS, Android) a list of public VPN relay servers hosted by volunteers around the world.
  • Bitmask: https://bitmask.net/ (Windows, MacOSX, Linux, Android) is an open source VPN. You can use a built in provider (riseup.net or calyx.net) or start your own. Many other VPNs are available out there, but not all have made efforts to evade censorship or have good and proven security, privacy, and business practices. This review is a good place to start if you are looking for additional options: https://www.nytimes.com/wirecutter/reviews/best-vpn-service/

A good resource for how VPNs work, what they do and what they don't help with is here: https://ssd.eff.org/en/module/choosing-vpn-thats-right-you

Please note that most (if not all) VPN “review” sites profit off of VPN purchases and/or are owned by the same companies which own the VPNs.

Dedicated anti-censorship tools:

Make your risk assessment, if these apps could pose a risk to you (like triggering attention), if they are found on your devices or their use otherwise discovered.

  • Psiphon is a free and open source censorship circumvention VPN that uses a variety of techniques to bypass Internet censorship: https://www.psiphon3.com/en/download.html (iOS, Android, Windows)
  • Download via email: Send an email to get@psiphon3.com to receive mirror download links of Psiphon in multiple languages.
  • Lantern is a free and open source censorship circumvention VPN that uses a variety of techniques to bypass Internet censorship.
  • https://getlantern.org/en_US/index.html (Windows, MacOSX, Linux, iOS, Android)
  • Download via email: Send a request to GetTor (gettor@torproject.org ) specifying your operating system (and your locale). Ex: "windows fa"

9. Secure video conferencing

Messengers which allow for secure video calls. Be aware, that Signal and Wire might trigger attention, as they might not be so widely used in your communities.

Signal: https://signal.org
End-to-end encrypted video calls available for up to 8 participants
Tied to the mobile phone number

Wire: https://wire.com
End-to-end encrypted video calls available for up to 4 participants (free version)
Possibility of signing up without phone number

WhatsApp: https://whatsapp.com
End-to-end -encrypted video calls available for up to 4 participants
Part of META-company (formerly Facebook, so meta-data is going to be captured)

JitsiMeet
Video calls for up to 25 participants on trusted servers and free to use
On computers access with browsers, apps available for Android and iOS
Trusted Providers: https://meet.greenhost.net/ and https://meet.systemli.org/

Secure use guides:
- https://www.frontlinedefenders.org/en/resource-publication/guide-secure-group-chat-and-conferencing-tools
- https://www.frontlinedefenders.org/en/resource-publication/jitsi-meet-simple-and-secure-video-conferencing-platform

App downloads for phones:
https://jitsi.org/downloads/

If you need to use conferencing tools like zoom.us make sure, that you enable the end-to-end -encryption feature: https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings

10. Secure file sharing & online storage

For storing documents securely on your computer or securing (encrypting) files before uploading them for online sharing and storage, the app Veracrypt: veracrypt.fr allows to save encrypted containers (folders) on harddrives and online storages, Google Drive or on Dropbox, which to outsiders look like normal or system files. After using Veracrypt to encrypt a document like this, opt for deleting the application afterwards (including from Trash), to avoid that the app draws attention. See: How to Use Veracrypt (English Video with Persian subtitle): https://youtu.be/C25VWAGl7Tw

10.1  File Sharing: Secure (end-to-end encrypted) options

If you are using the TOR-Browser: https://www.torproject.org/; Onionshare: https://onionshare.org/

10.2  Online Storage

Use online storage only through browser, not through installed apps!

  • If you use a cloud-access from an organizational server, be aware, that the URL/Link used might give away the name of the organisation and this can be seen by the Internet Service Providers. In this case the use of a VPN is reducing the risk.
  • these commercial ones might draw less attention: https://mega.io/ (20GB for free); https://sync.com (5GB for free)
  • https://cryptpad.fr/drive - The name might draw attention!!!
  • Google Drive and OneDrive and iCloud are not end-to-end-encrypted, so the servers can see, what you have uploaded, if you don't protect it beforehand (like ZIP-file with password on it or something similar).
  • You may have a need to store documents somewhere (such as copies of your family’s passports, your employment contracts, papers that document danger you have been exposed to).
  • The best thing to do is to ensure these documents are saved in a secure cloud storage that does not use your main email account, or sent to a secure email address that you can access but is not your main known account, and not stored on your phone or your computer.

Credits

This guideline is based on interviews with Afghan journalists as well as on these guides:

1. Online safety resources for Afghanistan’s human rights defenders (EN): https://www.accessnow.org/online-safety-resources-afghanistan/

2. Checklist for Afghans. Minimise Risk through Data on Phones/Devices (20 August 2021; EN, Dari, Pashto): https://docs.google.com/document/d/19GPJDmMLPagNnbumZwmKZGJaIiRMFmHiJKtuvmL6wl8/edit

3. Digital Security Resources for Afghanistan. Internet Shutdowns, Online Privacy (EN, Dari): https://drive.google.com/drive/folders/1v9WvDvoCPjP13Y2Lsd0hqwDt6mqEgvtW

 

Please note: The information and resources provided in this guide are current as of May 2022. We plan on making an updated version available every six months for at least next two years. The updates will be available for download at: https://qbpqwhtvgo.oedi.net/digital-security-guide/afghanistan-digital-care-guide/

to top