Guide to the Directory

Purpose

We’re often challenged to communicate over surveillance networks, trading privacy for convenience. As a community that values privacy and security, we need accurate and verifiable contacts, whether we intend to share secrets or just chat.

The heart of every network needs healthy information to keep beating. This directory intends to provide that data, in an attempt to strengthen our bonds and increase our strength.

Sure, you can look up e-mail addresses in a keyserver or find people on Keybase. This directory serves a different purpose, connecting you specifically with Yale Privacy Lab and professionals trained in digital self-defense in the Yale and New Haven communities. Our network centers around the Information Society Project, Yale Law School, and YLS Clinics and reaches outward to privacy-respecting friends and colleagues at other institutions.

By consolidating entries for these individuals and listing multiple methods of contact for each person, we hope to provide the information that at-risk users and colleagues alike need to reach out over a secure, reliable channel. We aim to reduce the friction and complexity of such interactions, with this directory serving as a single point of reference for a growing community.

A Message of Caution

There is no “magic bullet” technology that guarantees privacy and security. It takes regular practice and training, coupled with proper operations security (OPSEC), to safeguard your communications and personal/professional information. Yale Privacy Lab makes no promises regarding the efficacy, safety, or reliability of the technologies listed in this directory. However, the communication technologies in this directory were chosen for their:

  • status as security industry or de facto public standard
  • basis in sound and well-established cryptographic technology
  • positive reputation within cryptoparty, “cryptonerd”, and infosec communities
  • recommendation by well-known free speech, Internet freedom, and civil liberties organizations
  • evidence of software development transparency such as peer review, Free and Open-Source Software (FOSS) licensing, security audits, and transparency reports

In some cases, these communication technologies are considered “experimental” or in “beta” stage of development. Contemporary software development methods may result in protocols and applications that never technically leave this “unfinished” phase, though they are used daily by vibrant international networks. However, we echo Tor Messenger’s warning that at-risk users should not depend on bleeding-edge software for their privacy and safety.

As with any software choice, “your mileage may vary”, and you should choose your method of communicating with the people in this directory based upon your threat model.  Each entry contains multiple methods of contacting each person.

Entry Format

Example directory entry:

Example Directory Entry

Example Directory Entry

Photo

Your Privacy Lab directory listing must have a real, current, color photo of you and no other people (preferably centered on your face and with no alterations or social media filters). We will ask you to update your photo each year. Photos reduce misunderstandings and awkwardness in physical meetups and events. Preferred format is .JPG or .PNG, at least 300x300 pixels. The photo will be displayed within a circular border.

Name

This can be a full name, nickname, or pseudonym, but you must be known by this name in our community. Please keep this under 32 characters (even John Jacob Jingleheimer Schmidt fits that criteria).

Labels

People may decide who they want to contact quickly, especially if they are under duress. Though we all have diverse backgrounds and interests, please choose only two labels that best describe your background and role.

Label Choices:
  • Technologist
  • Attorney
  • Librarian
  • Scholar
  • Student
  • Lecturer
  • Educator
  • Activist
  • Organizer
  • Administrator
  • Maker - option for members of hacker/makerspaces like MakeHaven, Yale CEID
  • Alumnus - option reserved for people formerly at Yale and the Information Society Project
Reserved:
  • Lab Director - reserved for head of Privacy Lab
  • Lab Coordinator - reserved for lead trainer/organizer at Privacy Lab
  • Privacy Trainer - reserved for trainers at Privacy Lab
  • Affiliate - required for people outside of Yale

Organization

Tell us which organization you would like to be associated with, for the purpose of this directory. For example, members of legal clinics should list their clinic. When possible, please also provide the URL for the organization so that it can be linked (e.g. MFIA Clinic).

Affiliation Badges

Let us know if you are affiliated with any of the following organizations (or were formerly affiliated and left on good terms), so that we may provide a badge icon in your directory entry:

Berkman Klein Center for Internet & Society

Centre for the Internet and Human Rights

Electronic Frontier Alliance

Electronic Frontier Foundation

Fight for the Future

Free Software Foundation

FreedomBox Foundation

Software Freedom Law Center

Software Freedom Conservancy

MakeHaven

MayFirst/PeopleLink

Mozilla Foundation

Riseup

Tor Project

Wikimedia Foundation

Yale Center for Engineering Innovation and Design

Short Bio

Please provide a very short biography, 256 characters or fewer. List the most pertinent information someone would want to know about you, if they were reaching out for the first time via a secure channel.

Personal URL

This may be a website, blog, or social media account. We encourage the use of options like Mastodon and GNU Social and discourage walled gardens like Facebook.

Secure Contact Information

Privacy Lab directory entries will only contain contact information for privacy-respecting, trustworthy technology that shares information over secure channels. End-to-end encryption (E2EE), peer-to-peer (P2P), and off-the-record (OTR) solutions are prioritized, especially if these applications send data via anonymity networks like Tor (optionally or by default). These software options will no doubt change over time, and our Privacy Trainers can assist you in providing the correct information for your directory entry (e.g. your PGP/GPG fingerprint).

You must provide at least one of the following contact methods (Encrypted e-mail, Mobile chat, or Desktop chat/IM), which you should be actively using.

Encrypted e-mail

PGP/GPG e-mail
Provide a 10-block, 40-character fingerprint and/or link to your public key online (e.g. on a keyserver), as well as the primary e-mail address associated with the key.  PGP/GPG e-mail is highly encouraged for all directory entries due to its longevity, decentralization, and security industry / academic popularity. It is required for Lab Director, Lab Coordinator, and Privacy Trainers.

ProtonMail
List your ProtonMail e-mail address. Protonmail is not PGP/GPG compatible and best to use when contacting other Protonmail e-mail addresses.

Tutanota
List your Tutanota e-mail address. Tutanota is not PGP/GPG compatible and best to use when contacting other Tutanota e-mail addresses.

Mobile chat

Provide the information for one or more of these apps:

Wire
List a Wire @username. Using phone number as your identifier is discouraged.

Signal/Noise
Signal requires phone number as the identifier. We recommend other options or listing Signal under your “Ask Me” section. We also encourage the use of Noise whenever possible, as it does not require Google services.

Kontalk
Kontalk requires phone number as the identifier. We recommend other options or listing Kontalk under your “Ask Me” section.

Riot.im
List a Riot or other Matrix @username and, optionally, a chat room.

Desktop chat/IM

Provide the information for any of these methods:

XMPP/Jabber
List an account only if you use OMEMO or OTR with it. This directory does not list OMEMO or OTR fingerprints due to the frequency that they may change.

Ricochet
List a Ricochet address.

Cryptocat
List a Cryptocat username.

Tox
List a Tox ID or a ToxMe username.

Bitmessage
List a bitmessage address.

“Ask Me” contact details

There are many trustworthy options for private communication. We all use some methods more than others, and it’s best to be honest about our software usage so that incoming messages don’t go unnoticed. For this reason, you may provide an optional list of technologies you know how to use, but don’t use often. Contacts will have to reach out to you some other way so that you can provide your contact details for these channels.

This option also allows you to keep some of your usernames / identities private. It is encouraged for services that require phone numbers as an identifier such as Signal/Noise and Kontalk.

Example “Ask Me” Section

 

Toolkit

Directory listings may also contain the following skills, which are most relevant to our community and the people we assist.

  • Legal Clinic
    Member of one of the YLS Clinics, or similar clinic/project at another institution. Must be qualified to provide legal assistance or able to connect people to others who are.
     
  • Tor
    Basic understanding of Tor, such as usage of Tor Browser Bundle
     
  • Tor+
    Understanding of Tor that goes beyond using the Tor Browser Bundle (e.g. OnionShare, Tor Messenger, TAILS. Required for Lab Director, Lab Coordinator, and Privacy Trainers.
     
  • GNU/Linux
    Basic understanding of GNU/Linux, such as usage of a distribution like Ubuntu.
     
  • GNU/Linux+
    Intermediate-to-advanced understanding of GNU/Linux, such as command line scripting and system administration.
Web Browser Tools

The “Toolkit” section is also a good place to list browser-based communication methods that require no usernames and which may have unique URLs for each conversation. Please be careful with these methods, as they are generally “security by obscurity” and should only be used for sparse contact in limited situations, or when no other option is available.

  • Jitsi Meet
    Video/audio chat without requiring usernames. A replacement for Skype or Google Hangouts. Before you list this tool - Make sure you know how to password-protect a room and invite users via e-mail.
     
  • Riseup Etherpad
    Real-time document collaboration without requiring usernames, that “self-destructs” after 30 days of inactivity. An alternative to Google Docs for text document sharing, meeting notes, and non-critical communication. Best when coupled with other, more discreet communication methods. Before you list this tool - Make sure you know how to generate human-readable passphrases for pad names/URLs.
     
  • Riseup Share/Up1
    File and document sharing (up to 50MB) without requiring usernames, that “self-destructs” after 30 days of inactivity. An alternative to Dropbox or Pastebin for small file or document sharing. Before you list this tool - Make sure you know how to manually delete a file upload and text “paste”.
     
  • Firefox Send
    File sharing (up to 1GB) via a Web browser, without requiring usernames, that “self-destructs” after 1 download or 24 hours. An alternative to Dropbox for large file sharing. Before you list this tool - Make sure you know how to manually delete a file upload.
Example “Toolkit” Section

Verification

The full source code, graphics, and licensing information for the directory are available on Github. HTML files containing directory entries have been signed with the Yale Privacy Lab PGP/GPG private key and may be verified using the public key. SHA-512 checksums are also published for each document and PGP/GPG signature file.