HRMI Data Security Policy

HRMI will collect two types of sensitive information as part of our Civil and Political Rights metrics development:  The names and contact details of potential survey respondents.  Survey responses to our civil and political rights expert survey. This policy explains our security steps for each. As an extra safeguard, we will store the two sets of data separately.

1. Names and contact details of potential survey respondents

This information will be collected initially from people at our trusted partner organisations, through an on-line country-nomination form. Additional names and contact details will be sought from our first tranche of survey respondents. Information collected includes the names and contact details (email address and/or WhatsApp or Signal numbers) of potential survey respondents. Key features of our security policy are:  The country nomination form is hosted on the HRMI website which has an SSL certificate and is secured by https. This means that the information is secured (encrypted) in-transit.  The information submitted is sent directly (encrypted) to a dedicated email address hosted by an email service provider - with very strict laws - based in Switzerland. This dedicated email address will have high security and access will be restricted to 1 or 2 New Zealand-based HRMI staff.  Information received will be stored in a file, also hosted on the servers of the same email provider.  HRMI will use this information to send a link to HRMI’s on-line survey to each of these potential survey respondents. The link may be sent via email (from our dedicated email address), or via an encrypted messaging service (e.g. WhatsApp or Signal).

2. Survey responses

The pilot survey will be hosted on the Qualtrics website which has an SSL certificate and is secured by https. This means that all information entered and transmitted will be encrypted. IP addresses are NOT stored.

The main potential risk to survey respondents is that if their email was hacked or an ISP spied on them, hostile agents may see they are communicating with HRMI and know they are potentially contributing to our civil and political rights metrics. But they would not be able to access the survey information submitted itself. See below for advice on protecting yourself from on-line surveillance.

The survey responses that HRMI receives via Qualtrics will be un-identified. i.e. we won't be able to link responses to individual survey respondents. However, we have two optional questions asking for contact details of: 1) the respondent themselves, and 2) other potential survey respondents who we should send the survey to. Also, some of the qualitative responses provided might potentially be able to be used to identify some respondents in rare cases. Therefore we have identified 4 different levels of data security from 1 (most secure) to 4 (public).  Most secure: the initial raw data-set received from Qualtrics by HRMI staff at UGA will exist only temporarily (until contact details are removed from the rest of the database and sent (encrypted) to our secure email address – discussed above). These data will be deleted from Qualtrics server at the same time.  The next most secure dataset (containing both qualitative and quantitative responses) will be stored in a separate on-line secure storage service. E.g. Spideroak. Only people who have security training and who are conducting relevant research will have access.  Low security: A data-set of fully de-identified survey responses – to be used in research and to calculate HRMI metrics – will require no special security as the data will be effectively anonymous.  Public: Aggregated data will be published on HRMI’s website as HRMI metrics. This is what the public will see.

Please note: This security policy will be reviewed after our pilot study is complete.

Advice on Protecting Yourself from On-Line Surveillance

There are several ways of hiding your IP address to protect your on-line activity.

VPNs (Virtual Private Networks): A VPN provides you with a public IP address which differs from your personal one. VPNs can be set up to protect your whole device, not just the traffic that runs through your browser, meaning that other programs on your device which are using the (e.g. desktop email clients) will also be protected by your VPN. Many VPN providers charge a monthly subscription fee. Examples of trusted ones are Private Internet Access, Mullvad, and Tunnel Bear. Free VPN services are also available, although they often have limited bandwidth and data allowances. Tunnel Bear’s free option and Rise Up can be good alternatives to paid services if you only need to hide your IP address occasionally. It is worth noting that some countries are very critical of VPN-usage and try to make it harder to download them, in some cases even by making VPNs illegal.

Tor Browser: The Browser is a free program that you can download onto your computer. It lets you use the Tor software, which makes it more difficult for internet activity to be traced back to you by bouncing your communications around a worldwide network of relays run by volunteers.

Anonymous proxy servers: An anonymous acts as an intermediary between your home network and the rest of the internet, so that websites can only see the proxy’s IP address instead of your personal one. Free proxies exist, but they should generally not be trusted. There is the option to use a tool called Proxychecker for a small fee to assess whether a free proxy service manipulates website content or forces users to forgo . However, it is preferable to avoid free proxies altogether. Compared to VPNs, even paid proxies have the downside of only protecting the web traffic that runs through the browser that is using the proxy. For example, your IP address will be protected if you open an email program in your browser, but not if you are using a desktop email client.