How to Use Ushahidi More Securely

The Ushahidi platform was first launched amidst a violent conflict some four years ago. Since then, the platform has been used to map other violent crises in places like Egypt, Kyrgyzstan, Libya, Somalia, Syria, etc. During this time, repressive regimes have clearly become more sophisticated in using social media and surveillance technologies. Most software is subject to security risk to compromise, gaming and subversion. Ushahidi users are not immune. We’ve compiled some resources and suggest that these be reviewed before deploying the tool in any hostile environment.
The purpose of this blog post is to provide some basic recommendations on how to use the Ushahidi platform more securely and to provide links to many important resources out there. Remember, using technology will always carry some risk, so before using Ushahidi or any other technology, please do everything you can to educate yourself on these risks, and not only those that you will personally face but also the risks that others will face as a result of your project.

1. Please use https and only https to access your Ushahidi platform. After enabling SSL on your server, simply change site_protocol from http to https in your config.php file. If you are on Crowdmap, SSL is already forced and supported across the board.
2. Do not use your real name or real email address when you create your account to access the back-end of the Ushahidi platform. The backend could be compromised.
3. Do not add any sensitive information to the Ushahidi platform, even if this information is not published, e.g., an unpublished report in the back-end of the platform. This means no personal identifiers, no links back to an original tweet or blog post, etc., from which the report is created. The back-end of the platform could be hacked, so all sensitive information should be kept in a separate and more secure location. This also means not mapping the exact location of reports and not publishing reports in near real-time but rather with an appropriate time delay.
4. The Ushahidi map should be kept password protected and the link should not be shared publicly. Users who wish to access the map should be carefully vetted before being provided with password access. Only make the map public if you have taken sufficient steps to minimize the associated risks.
5. Always log out when you’re not using the Ushahidi platform and be aware of whose Internet connection you are using to access the platform, i.e., if browsing from an Internet cafe, who else are you sharing the network with? When SSL is enabled, threat of interception can be minimized but isn’t eliminated entirely.
6. Do not use shared hosting and make sure your server is properly firewalled and secure.
7. If you’re not using the latest version of the Ushahidi platform, please upgrade immediately! More information here on how to upgrade. Please follow the Ushahidi blog and subscribe to Ushahidi dev mailing list for security announcements.
There are many additional steps that users can and should take to use the Ushahidi platform more securely. The ones listed above do not guarantee full security. We have therefore compiled a list of additional resources (please see below) that users should familiarize themselves with before deploying the Ushahidi platform in a hostile environment. We also invite experts in this space to provide additional resources and comments. In the meantime, we shall strive to continue rendering the Ushahidi more secure with the help of our partners and we will be sure to post security updates via our blog.
The resources below have also been added to the “Best Practices” section of our new Ushahidi wiki. You may have expert knowledge which could assist our community. Can you help? Our goal is to provide a curated list of existing best practices and resources to our community.


Other Resources:

This list will continue to evolve on our wiki. We will add your recommendations on security tools and additional resources. Thanks in advance for helping the community of deployers be safe and secure.