Named after the Greek word for witness, the Martus Project provides an efficient and secure way to store and retrieve information about human rights abuses. Using the Martus application, you can create records of human rights abuses, attach supporting documents, and store the information on a secure server. Martus encrypts data directly on your computer, and sends this data in an encrypted form to a secure server when you have an internet connection. To learn more about the problems the Martus Project addresses, how Martus is being used throughout the world to securely collect and store sensitive data, and future plans for the project, visit http://benetech.org/our-programs/human-rights/.
Martus can help with some digital security problems but it also has limits. You should consider vulnerabilities in work you conduct outside of Martus and identify tools that may reduce your risk.
Every Martus account has a key which can only be accessed using the password for that account. When you sign in to the Martus software, your password enables the application to open the key (associated with the MartusKeyPair.dat file,) so that you can see the records you’ve created and stored.
Your password is yours alone; without it, no one can open the records you’ve sent to the server, or any of the records on your hard drive. However, if you’ve opted to share records with a Contact, the Contact account holder will be able to see the data that you sent to the server.
Information secured with Martus is also protected from being modified by others and the software ensures that no one can create false or inaccurate records using your account. Even if your computer is lost, seized, or stolen, Martus ensures that data entered into Martus records cannot be read by those without permission to access the data.A Martus server is a computer server that accepts encrypted records, securely backs them up, and replicates them to multiple locations, safeguarding the information from loss. (Benetech provides the server software to the organizations that host Martus servers, but it does not host Martus backup servers directly; e-mail firstname.lastname@example.org for a list of potential server hosts.) Any records you haven’t sent to a server exist only on your computer. If your computer is lost, stolen, or damaged, you could lose all of that data. The server acts as a backup mechanism, so the data entered into Martus can be recovered if you lose access to your computer. With your key and your username and password, you can install Martus on a different computer and access all the private data in records you sent to the server. And if you have set up any Contact accounts to receive records from you, sending records to the server makes them available to those accounts.
Independent programmers can review the code in an open source application in a way that they cannot in traditional applications. Benetech has developed Martus for use by human rights organizations, and it has not included any hidden means of collecting information from Martus users, or of having the application perform any hidden tasks. Because Martus is an open source application, you don’t have to take our word for it. Any organization can have the code independently verified to see that it does what we say it will do.
To learn more about open source technology, visit the Open Source Initiative at http://www.opensource.org.
The people who give you information about human rights abuses are concerned about security and privacy—and you need to be just as concerned in order to protect them and yourself.
Increasing access to technology (phones, internet, and social media) increases risks in this digital arena. Digital security has consequences for physical security.
Tools like Martus should be part of a security culture you establish and practice to keep yourself and your network safe. For more details on security culture and digital security considerations see our Digital Security presentation.
Other tools and resources that might be helpful for the security of communications and information:
Resources for learning more about digital security:
It’s important that only the designated people have access to the records you’ve created, especially the information you deem particularly sensitive. It’s equally critical that no one else is able to modify the data you submit, or to create false or inaccurate records using your account. There are steps you can take to prevent someone from using your Martus account to read the data you’ve collected or to submit additional data, even if they steal your computer or otherwise gain access to it.
The Martus software uses very strong encryption technology to scramble your records so that other people cannot read them on your hard drive. However, since security involves people, and people are human, Martus security has limitations. We want to make sure you understand these limitations, even though the software is designed to be very secure. Here are some of the ways your private information may be compromised:
Although Martus has been reviewed extensively for strength of security, and computer experts can review its design to check for flaws at any time, it is likely that private information will be accessible to other parties willing to invest the time and effort to read it at some point in the future.
Although these limitations may sound scary, Martus information is far more secure than information on paper or in most existing computer programs (including those used by banks.) We explain these limitations to make sure you understand them, and the importance of being security-conscious in your use of Martus. Although we have built a very strong lock on your information, any lock can be unlocked by a key left out, and even the strongest locks can be broken with enough effort.
To keep your data secure, you need to use a password that cannot be easily discovered or guessed. Develop a password that you can use confidently, and that you can remember. You are the only one who knows your password; if you forget your password, you may not be able to access your Martus data (unless you have done a 3-part backup of your account, for more information see Backing up your key.)
The Electronic Frontier Foundation’s Surveillance Self-Defense guide also includes good advice on creating strong passwords.
Encryption scrambles or encodes your data so only those with the secret key or password can decode it. A very simple example to illustrate the concept of encryption:
Martus uses a much more complex algorithm of encryption that scrambles the record so that it can only be read by people with the right key. Encryption protects the records easily and automatically. This is what a record looks like encrypted on your computer or sitting on the server:
For a technical description of the encryption used in Martus see the “About Martus Security” section, here: https://martus.org/resources/documentation.html
Other resources and examples for understanding encryption: