K+LAB

 In

The challenge

Citizens, civil society organisations, journalists, human rights defenders and activists use the Internet and digital technologies to carry out their day-to-day activities, to guarantee access to reliable information, to hold leaders accountable, to safeguard civil liberties online as well as offline, and ultimately to uphold democratic values. While the Internet provides opportunities to increase participation, fight discrimination, promote human rights and foster development, cyberspace is also misused by malicious actors and governments to restrict Internet access, violate civil liberties and unlawfully infringe citizens’ privacy, among others.

According to Access Now, in 2019 a total of 213 Internet shutdowns were registered across 33 countries, which amounted to 1706 days of Internet disruption. Insufficient levels of cybersecurity can also lead to the loss or disclosure of confidential data. These issues represent not only a cybersecurity concern, but also a concrete barrier for development. Societal awareness and political traction regarding digital rights and the interlinkages between ICTs and development are increasing in Latin America, where mass-scale deployment of interconnected services has heightened concerns about citizens’ privacy and data protection, freedom of expression, digital activism and cybersecurity.

A response

The Karisma Foundation’s Digital Security and Privacy Lab (K+LAB) is the initiative in which this story is inserted. It was officially launched in 2018 as one of the responses to the digital security problems faced by civil society organisations, journalists, human rights defenders and activists in Colombia. Through this initiative, Karisma contributes to the principle of co-responsibility that was introduced by the 2016 National Cybersecurity Strategy.

The K+LAB has three strategic objectives:

– analysing, in a non-intrusive way, the security and privacy of government websites and apps;

– carrying out awareness-raising and training programmes for Colombian civil society organisations in order to improve their security and digital privacy;

– providing evidence for the policy advocacy undertaken by the organisation.

In relation to the first strategic objective, the K+LAB is a citizen exercise aiming to contribute to the country’s digital security by developing DIY methodologies and collecting evidence to inform policymaking. The citizen audit exercises on digital security that Karisma carried out allowed the organisation to identify the need to have an effective and coordinated disclosure channel to report and fix identified vulnerabilities in the country.

K+LAB analyses in a non-intrusive way the security and privacy of governmental web pages, but does not limit its work to security assessments. Working from the idea of joint responsibility, it keeps in constant touch with policymakers to ensure that its findings contribute to better policies. In addition, K+LAB collaborates with Colombian civil society organisations to raise awareness and improve their digital security, working in areas as diverse as consumer defence, LGBTI rights, environmental protection, women’s organisations, organisations of victims and displaced persons, and groups of journalists.

 

You can learn more about this project here.

The impact

K+LAB analysed the website Unidad Victimas, containing information on the care, assistance and reparation of more than 8.5 million victims of the internal armed conflict in Colombia.

Thanks to K+LAB’s work, citizens that use this website can be more confident that its cybersecurity is taken seriously and their personal data are kept private: a secure https protocol was implemented, policies and privacy notices were generated and access control was implemented to minimise the risk of sensitive information leakage.

K+LAB also contributed to strengthening the security and data protection policies of the IMEI Colombia Analysis website, where citizens can check data regarding Colombian cell phones that have been blocked due to theft or loss. It provides comments on governmental projects such as the police code, the strategy against cell theft, the Digital Citizen Services decree, the security of the DANE e-census website, and the governmental digital security risk management model.

In order to understand how they protect privacy and address digital security, K+LAB analysed three tools available in Colombia for COVID-19 disease information, symptom tracking, contact tracking, mobility passports, and enforcement measures for quarantines or stay-at-home orders. The organisation produced a technical report as well as some recommendations for national and local authorities on how to better protect the privacy of users.

Project DNA

TMFOCIDPAR

Which aspects of this project have contributed to its success? And which, according to the implementing organisations, might play an important role in launching similar initiatives in other parts of the world? The project DNA profiling on the basis of the Good Cyber Stories framework highlighted the importance of three success genes in particular:

 

T – Transparency and accountability

K+LAB makes transparency and accountability its flagship. K+LAB’s work revolves around making sure that services online not only are secure, but also offer adequate transparency on how they use sensitive users’ data to make sure that citizens can trust the technology. For example, in 2018, in cooperation with the ‘Misión de Observación Electoral’, K+LAB contributed to developing an audit protocol proposal to ensure the transparency of the Colombian election scrutiny software.

The audit exercises are conducted on the basis of a non-intrusive DIY methodology. In this way, Karisma seeks to enable more people who are interested to conduct digital security analyses in a responsible manner to help improve the country’s digital ecosystem. It is also a way to educate people on the subject, and to sensitise the public and private sectors to consider the importance of the collaboration of citizens and civil society to improve the confidence and security of the country’s digital ecosystem. This has a direct impact on economic and social sustainability.

 

M – Multi-stakeholder participation

Multi-stakeholder participation in K+LAB ensures that the activities of the Lab are independent, non-partisan and as scientifically grounded as possible. Furthermore, the diversity of funding guarantees the independence of the project. Non-profit organisations such as the Open Technology Fund (OTF) granted funds to cover the salary of an expert in digital security and privacy for one year and provided K+LAB with equipment. A scholarship by Access Now also funded the project, and Open Society granted a scholarship to develop an awareness, training and support project for six civil society organisations that have trusted Karisma in this process. Recently, the Electoral Observation Mission (MOE) signed a collaboration agreement with K+LAB.

K+LAB also works with Colombian civil society organisations to improve their digital security. This allows us to learn first-hand about the needs and challenges faced by a wide range of human rights organisations. This experience also serves to inform policymaking. On the other hand, the digital security analyses that Karisma carries out on government websites and apps have sometimes focused on computer systems and networks related to national support programmes for vulnerable groups, such as the analysis we conducted on the website of the Unit for Integral Care and Reparation for Victims (National Unit, see here)

 

F – Legal and institutional framework

K+LAB has been conducting citizen audit exercises on digital security for several years, in which the digital security of government websites and applications has been analysed in a non-intrusive manner. When presenting audit reports, we faced significant barriers to delivering the results to the relevant government entities. Especially at the beginning, the processes were quite contentious, complex and dependent on the intermediation of the Ministry of ICT.

Hence, Karisma decided to conduct state-of-the-art research on coordinated vulnerability disclosure in Colombia and a comparative analysis of how this issue is addressed in other parts of the world. The ultimate goal was to show the possible strengths and weaknesses of legal and institutional processes in Colombia, and to offer recommendations to solve the problem.