A Short Introduction to Holistic Security
This post is a slightly edited version of my short talk given to the UC Berkeley and UC Santa Cruz human rights investigation labs: https://rca.ucsc.edu/news-events/Past Events/holistic-digital-security-webinar.html
I want to simply share what the concept of holistic security is and how it is important in not just human rights work, but across many industries. Several years ago, when I was teaching Berkeley students how to protect targeted activist groups, my colleagues and I wanted comprehensively address the threats facing those activists we were working with as well as the students that would be exposed to traumatic subject matter and survivors of violence - physical, racial and sexual.
UC Berkeley's Dr. Alexa Koenig had recently wrestled with a similar problem with her investigations lab at Berkeley Law's Human Rights Center and recommended that we use a holistic security approach in our own clinic that would stress psychosocial well-being and resiliency as strongly as we knew we’d focus on digital and operational security.
Here’s a simple definition from Tactical Tech, a Berlin based activist group that published the “Holistic Security Manual” in 2016:
Holistic security “integrates digital security, psychosocial well-being, and operational security processes and highlights their interrelatedness, rather than looking at them each separately.” It is centered on well-being - being physically and emotionally healthy and sustaining ourselves while continuing to do the work that we believe in.
A holistic security practitioner understands that “well-being” is highly subjective and influenced by our identities, communities, beliefs, context, and experiences.
The convergence of these concepts is not new, but a more realistic and accurate depiction of the threats faced by each of us. We need to move past the idea that one can separate their digital and “real” lives - that when someone is being abused online that they can simply turn off their computer and not worry about the impact. This was never actually the case to be true, and that myth has especially impacted women, people of color, and LGBT communities.
We frequently see examples in media that show the importance of this concept:
We see protections designed for physical safety actually place people in greater harm of digital surveillance such as the case of GPS enabled panic buttons for journalists in South America. By exploiting a simple technological vulnerability, an attacker could actually use the button to track and locate the journalists (source).
When we are under times of intense emotional stress such as throughout the pandemic, not only may threats rise more frequently due to the physical separation but we also have lower ability to successfully identify things like phishing emails (source).
Finally, many common threats don’t fall cleanly into a “cybersecurity threat” or a “physical threat” -- when technological systems are being used as designed but still subject its users and its employees to emotionally damaging materials via harassment, disinformation, and traumatic content, it’s undeniably a safety and security issue. We can see this in the psychological trauma experienced by content moderators of major platforms (source).
There are three things that I want to emphasize about holistic security:
- Integrated does not mean by simply focusing on one aspect of security you are improving on the others. Like the panic buttons, by adding one protection, you have to consider its impact and vulnerabilities in other aspects of your organization.
- Security is subjective and you should not erase the individual beliefs, experiences, and values. At the very least, recognize how gender, race, and class identities impact the frequency and severity of threats to certain members of your organization as well as how you would respond to a threat. For instance, the impact of Covid-19 was not shared equally across all social groups. Similarly, calling 911 or going to HR may not be effective or even safe options for everyone.
- A holistic approach is the right thing to do - not just for protecting your own people but also for those you are advocating for, those that are the focus of your research, and those that may use your systems. For instance, as you are designing your research protocols, you need to not only consider how that information will be stored but also the psychological impact on your research subjects or how that new app feature or policy can be used to perpetuate psychological harm... even without an account being hacked.
Look forward to hearing more about holistic security from us in the future. There are several interesting topics to explore such as community or collectivist security as well as the roles of psychology and spirtuality in applying these concepts! I'll be happy to discuss more about holistic security with anyone who is interested so always feel free to contact us.