Etherpad, Security and Privacy
Etherpad is a tool for public collaboration. By default all pads are open to general users of the Internet. As such, it is not advisable to use this tool for information that you do not want to be in the public domain.
However, it is possible to install Etherpad so little information can be gathered which can be used to incriminate users. There are limits to this level of anonymity. It may be possible to check that you have connected to a website even if the contents of what you have read or written can not be detected. This chapter deals with these aspects and suggests different tools which may be useful to you.
User level security
Using Etherpad with HTTPS / SSL
It is possible to connect to Etherpad to using HTTPS connections. There is more information on HTTPS (also called SSL) in other guides like the FIrefox Manual. Very briefly, HTTPS connections encrypt the data between your computer and the website you are connecting to.
If this kind of digital 'eavesdropping' is a concern for you then choose an Etherpad where HTTPS is available. In the Firefox browser, you can tell you are connected via HTTPS in the location bar. If you are connected, you will see https:// and a image of a lock.
You can also investigate using other security and bypassing censorship techniques. Details of these tools can be found in similar guides on Bypassing Censorship and the Firefox browser.
Administrator level security
IP address logging and automatically deleting unused pads
IP addresses are numbers which can identify you when you browse the Internet. When authorities track Internet use or take possession of Internet servers as part of investigations, it is often these IP addresses which are used to incriminate Internet users.
It is possible to set up a server so that it does not make a record of IP addresses. One way of doing this if you are using an Apache webserver is to use the remove_ip module. 1
Rather than leaving data hanging around on the Internet you may choose to use an Etherpad service that deletes data after a certain amount of time if it is not being used. This is true of the service at pad.riseup.net which deletes pads after 30 days of inactivity.
Password Protecting Etherpads
It is possible to place a password on Etherpad when it is installed. This may be something you could ask an Internet administrator to do for your project. If you have technical skills you can find out how to do this in the section on Installing Etherpad.
If you do use an Etherpad with password protection, it is important to always use HTTPS to connect to it. Otherwise your password will be sent in an unencrypted way.
Other types of good practices
Do you know what you are doing?
As with many aspects of Internet security, for very sensitive information it is best not to publish it to a webserver on the Internet at all. Before running a service and declaring it to be a secure tool you should ensure you have good depth of knowledge on your subject.
Choosing the right tool for the job
If you choose not to use Etherpad as you collaboration tool then there are other services and software that may be useful to you.
Crabgrass
Crabgrass is web software and a service provided at http://we.riseup.net. It is a tool used by many grass roots activists.
It provides a secure space to collaborate with your friends and colleagues by allowing you to create different spaces and use tools for collaborative writing, organising and decision making.
OwnCloud
OwnCloud is Free Software that provides an online storage area for data (cloud storage) for you. Versions until 4.5 featured the ability to encrypt your files.
The system is mainly designed for the sharing of existing files but there are also simple tools for editing documents and it is possible to integrate Etherpad. There is also the ability to use shared calendars. You can download or find out more about OwnCloud at http://owncloud.org/.
IRC
IRC (Internet Relay Chat) is a well tested way of chatting in real time with many people. It is possible to keep a log of your chats and have encrypted chats making it a good tool for quick collaboration on texts.
There is more information about IRC and the different clients you can use here. 2
Booktype
Booktype is a more advanced tool for collaborative writing, It has a focus on producing printed books or booklets. As such, there are many options for laying out images and text.
It is possible to hide books from general users however Booktype has not been designed as a secure space for sensitive documents. You can try out, download or find out more information on Booktype at http://www.sourcefabric.org/en/booktype/
Wikis
Although most wikis are not designed to be private or encrypted, they can be password protected.
There are good tools in most wikis for keeping a track on edits that have been made and reversing destructive changes. For formatting wikis use something called "wiki markup" which can make wikis more tricky to use that other tools in this guide. This is especially true if you want to add images to your documents.
If you are interested in trying a more secure wiki tool, which allows for encrypted use, you can try Wiki on a Stick. 3
Encrypted Email and Attachments
While there are many advantages to using online collaboration tools not many of them have been designed to be very secure. To avoid this problem you may want to use more tried and tested ways of communicating securely. For example, it is possible encrypt emails using a technology called GPG.
There is a manual on Encrypting Email 4 with GPG and the cross platform email client Thunderbird.