How Does the Internet Work?

Credits Mariel Garcia, Spyros Monastiriotis Last Updated 2017-06

This session builds basic understanding of information flows across the Internet, and the different vulnerabilities and related good security practices at each point in the chain.

ADIDS Element

Activity and Discussion

Parent Topic(s)



60-90 minutes

This session was developed jointly by Mariel García (SocialTIC) and Spyros Monastiriotis (Tactical Technology Collective)  

Materials to Prepare

How Does the Internet Work? Placards – these should be iconic representations of the parts of the chain that an email goes through when it is sent from one computer to another:

  • Devices (computer/mobile phone) (x 2)
  • Modem (x2)
  • Telephone pole/Underground optic fiber (x 2)
  • Internet Service Provider (x 2)
  • Google Servers (x 1)
  • Mock Email (x 2, or more)

Other Materials:

  • Handouts with suggestions of digital security practices
  • Paper to use as a board – one long piece (4 meters), and two smaller pieces (1 meter)
  • Colored markers
  • Adhesive tape
  • Slides (with key points included below)
  • Laptop/Computer and Projector setup
  • Speakers  

    Trainer’s Note

    Make sure to cover all the questions participants might have. It is important they leave the session with answers to their concerns with the vulnerabilities they learned about, and feeling they have the information they need to take action. Avoid creating an environment of fear, stress or anxiety - provide enough information and resources, as well as further training opportunities (if possible).

Running the Activity:

Part 1 - How the Internet Works – Flow of Information and Points of Vulnerability

Step 1 | This part of the workshop will begin as a game. Participants will be given pieces of paper representing one part of the chain of the flow of information online (modem, computer, ISP building, etc) and will be asked to arrange themselves in the order they consider is correct to represent the way an email travels through the Internet to reach another computer.

Step 2 | Once the group is arranged, the facilitators will correct any mistakes, and will do a run-through explaining the process to everyone. Then a volunteer will be asked to repeat that explanation. It is recommended that the complete explanation is made at least three times; but, to give variety to this exercise, the facilitator can change the email illustrations that are used, and the extreme where the demonstration begins. The trainer must also give some time to clarify doubts related to this process.

Step 3 | You can also use a video like this one ( to help participants identify any mistakes that they have in the way they arranged themselves.

Optional: To adapt this for larger groups - rather than giving out one piece per person, assign one piece to a pair; for smaller groups, they can place the pieces on the floor, debating their order.

Part 2 - Vulnerabilities

Step 4 | When the previous process has been completed, participants will be asked to paste each piece on a long paper (from a roll) that will be left on the floor. At this point, the facilitators will go through the chain again, this time to point out and explain the vulnerabilities at each stage (and hint at good practices to keep participants calm and confident).

Step 5 | Some of the vulnerabilities are mentioned next. You can also add any other practice or threat that is applicable in your own context or that is relevant to mention to the participants. You can also share a few examples of practices that other collectives you work with have to help participants think of what might be some of their own good or bad practices.

  • Device 1 (computer/phone): Physical insecurity; loss of information
  • Modem 1: Wifi sniffing; lack of encryption
  • Telephone pole/optic fiber underground: N/A
  • Internet Service Provider: Data and metadata requests from local/national governments
  • Google Servers: International surveillance; password insecurity and phishing, requests from national governments
  • Telephone pole/optic fiber underground 2: N/A
  • Modem 2: Security problems using other people’s connections (like at Internet cafes)
  • Device 2: Malicious software; insecure deletion

Part 3 - Good Practices for Digital Security

Step 6 | After focusing on vulnerabilities, it will be time to break the group into smaller ones that can “adopt” one of the vulnerabilities discussed in the previous exercise and propose creative solutions for it. To make it less overwhelming for less experienced participants, each group will be given a piece of paper including one solution proposal that can ignite conversation.

Step 7 | At the end, the groups will be given 30 seconds to a minute to present their ideas to the rest of the group (while one of the facilitators takes notes and makes additions to what is reported back by the groups). Facilitators will float around the groups giving brief explanations and answering questions, and mostly promoting discussion among all the participants.

Step 8 | It’s important that, as this activity progresses, facilitators explain the basics of each solution. Also, depending on the level of interaction and speed of the workshop, it may not be possible to cover all the proposals.  

Some of the ones that are consider most important to share are:

  • Physical insecurity: reduce the exposition of devices in your organization to strangers
  • Physical insecurity: use computer locks at your office and home
  • Loss of information: keep a backup somewhere other than your office or home
  • Loss of information: put someone in charge for everyone’s backups in your organization
  • WiFi sniffing: Take off all the signs displaying the password of your WiFi
  • WiFi sniffing: Change the password of your WiFi every couple of weeks
  • Lack of encryption: Go to a cryptoparty in your city/come to workshop X
  • Lack of encryption: Read Security in a Box on encryption
  • Data and metadata requests from local/national governments: Work with digital rights organizations to find out ways to protect yourself legally
  • Data and metadata requests from local/national governments: Find out what laws in your country say about the intervention of communications
  • International surveillance: Switch to secure services for search, mail, hosting and communications in general
  • Password insecurity: use long and complex passwords!
  • Password insecurity: use KeePass to remember the many passwords you should have
  • Phishing: Think before you click (be mindful of where you put your login information)
  • Using other people’s WiFi: Always log out
  • Using other people’s WiFi: Tell us – what should you not be checking when you’re on someone else’s WiFi?
  • Malicious software: install antivirus software and run it manually every week
  • Insecure deletion: Use Cmd+right click to empty bin on Mac
  • Insecure deletion: Use software like Eraser or CCleaner

Part 4 - Leading the Discussion

Step 9 | The point of this part of the session is to gather questions that are related to digital security but maybe haven’t come up until now in the workshop, as well as discuss topics relevant to the participants’ specific community. It’s a good time to provide resources for everyone to learn more and stay updated. The facilitator will gather questions of the audience, hint potential answers, and mention references that can be used to answer them.