Getting Online For Human Rights: Section 2

GETTING ONLINE FOR HUMAN RIGHTS
Section 2. Protecting the Authenticity and Integrity of Human Rights Information on the Internet

Go to:

[Table of Contents][Section 1] [Section 2] [Section 3] [Section 4] [Section 5] [Appendix]

Language
(this page):

How can I be sure of the authenticity of information on the Internet?

Not all human rights information on the Internet is accurate or even legitimate. Any individual can post a message to a newsgroup, or write and send an urgent action, or create a Web site and post to it whatever they choose. There have been many instances of phony sites that look like the real one and where even the Internet addresses look legitimate. As an example, someone recently set up a governmental propaganda site to lure people looking for Amnesty International materials on Tunisia, with an address which appears to be an official Amnesty International address: http://www.amnesty-tunisia.org! While I can not suggest here how to determine whether what you read on the Internet is legitimate or accurate, I can suggest several measures to help protect and ensure the integrity of information.

Use Signatures in Your Email Messages

If you use email to distribute information, including urgent actions or reports to wide audience, it is a good idea to include a signature at the bottom of each message that you send. The signature should include such information as:

your name
organization
telephone and fax numbers
email address
other information, including an organizational Web page if available

Because of the anonymous nature of the Internet, it is important for people to know who you are and how to get in touch with you, especially if your message is forwarded multiple times or is posted in a newsgroup and your name and email address as the source of the information gets stripped from the message. By including a signature (Figure 15) (see also Section 2, Use Digital Signatures) with your message, people will know who originally wrote or posted the message and can contact you to verify the contents of the message, follow up for additional information, etc.^[14] Check your email program to see if it has a signature option that will automatically append your contact information to every outgoing message.

*------------------------------------------------------------------*
* Stephen A. Hansen 				 shansen@aaas.org
* Senior Program Associate                      tel +1(202)326 6600
* Science and Human Rights Program              fax +1(202)289 4950 
* American Association for the Advancement 
    of Science    
* http://shr.aaas.org/                           http://www.aaas.org
*------------------------------------------------------------------*

Figure 15: Example of a signature placed at the bottom of an email message

Sign Your Messages Digitally

The encryption program PGP™ ("Pretty Good Privacy") ^[15], developed by Phil Zimmermann, in addition to totally encrypting a message (see Section 3, Use Encryption), can be used to digitally sign email messages or documents. A digital signature does two things. First, the recipient of a message you send can verify that it came from you, as only you can place your own distinct digital signature on the message. Secondly, the recipient can verify that the contents of the message have not been altered since it left your computer.

-----BEGIN PGP SIGNED MESSAGE-----

13 May 1998

AMERICAN ASSOCIATION FOR THE ADVANCEMENT OF SCIENCE HUMAN RIGHTS 
ACTION NETWORK (AAASHRAN)

TURKEY-HUMAN RIGHTS ACTIVIST ATTACKED

CASE NUMBERS:      TU9805.Bir

ISSUES: Right to life, liberty and security of the person

FACTS OF THE CASE: Prominent human rights activist Akin Birdal, 
president of the Human Rights Association of Turkey and vice-president

[excerpted]

-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNWGbVxfHO2gj8TB1AQFfEQP/WQCk7M75WX86UnU+v5lJcNMyjIrM9vcQ
/yITAqFLAXVy0f1vT/XWNsItfyAZwKPjkGsx3c4WvKv2VvjNApdylND6HDAgxYEN
1Hk7PPDKK56/oh4XcWmG1o0UWAQK7cPpHCSgw3EPIMLcNLzkP9bUQ8ewcIpV35Vp
E9drinhvmzU=
=nlGl
-----END PGP SIGNATURE-----

Figure 16: Excerpt from an AAASHRAN alert containing a digital signature

For example, the AAAS Human Rights Action Network (AAASHRAN) places digital signatures on all the alerts it sends out (Figure 16). Recipients of these alerts can use PGP to verify that the author of the alert is, in fact, AAAS and that the information in the alert has not been altered in any way.

When used, digital signatures can be a strong deterrent against any tampering with information. If someone intercepted the alert shown in Figure 16 and altered it in any way, for example, by changing the name of the source of the alert or the victim name, a quick check with PGP would indicate that it is no longer an original AAAS alert (Figure 17).

File has signature. Public key is required to check signature. .
WARNING: Bad signature, doesn't match file contents!
Bad signature from user "Science and Human Rights Program
<shrp@aaas.org>". Signature made 1997/07/03 21:31 GMT

Figure 17: Signature check with PGP revealing that the contents of message have
been altered or it was not signed by the stated sender

If you use digital signatures, try to make this fact as widely known as possible. Send an email announcement to all those with whom you exchange information electronically and/or post the fact on your Web site, along with your public key which is needed to verify your signature. This should deter others from stripping off your digital signature as it will signal to your audience that any information coming from you should contain a digital signature. If the digital signature is missing, the authenticity and integrity of the message should be questioned immediately.

Verify Information by Comparing it to Web Sources

Very few people check electronic signatures, and often people will remove a signature when they forward a message on to others. ^[16] Digital signatures are not very attractive and of little use to those who do not have the necessary software to validate the signature. If you receive an alert or other sensitive information via email, you might be able to verify its authenticity by comparing what you received to a copy posted on an official organizational Web site. Organizations such as Amnesty International, Human Rights Watch, and the AAAS Science & Human Rights Program also post their alerts on their home sites. If you cannot locate the information on the Web, send an email or call the organization to verify the authenticity of what you have received.

In addition, if you are sending out alerts, post them on your organizational Web site if you have one, or find a Web site that might post your alerts. You can then direct people to that Web site in the alert itself so that they can verify its authenticity. Be sure to check the alert periodically. Just because it is housed on a Web site does not make it invulnerable to unauthorized alterations there. ^[17]

Go to:

[Top of Section] [Table of Contents][Section 1] [Section 2] [Section 3] [Section 4] [Section 5] [Appendix]

¨ ¨ ¨ ¨ ¨ ¨