You are on page 1of 71

Frontiers of

Computational Journalism
Columbia Journalism School
Week 12: Privacy and Security
December 11, 2015

Laptop falls into Syrian govt. hands,
sources forced to flee

AP source busted through phone logs

.
.
.

Open Network Initiative global filtering map -- opennet.net

From Protecting Consumer Privacy in an Era of Rapid Change, FTC,

Journalism Security Disasters
• Hacked accounts and sites
– AP
– Washington Post, New York Times,
– etc.

• Sources exposed
– Vice reveals John McAfee’s location
– AP phone records subpoena
– Filmmaker’s laptop seized in Syria

What Are We Protecting?




Commitments to sources
Physical safety
Legal concerns
Our ability to operate
Our reputation

Holistic security (What “digital security” isn’t)
The predominant digital security discourse takes little or no heed of the elements of
personal, organisational or psychological security inherent to the establishment of an
effective and cohesive security strategies.
The tendency, aggravated by time constraints and necessary technical skill-building, has
been to treat digital security as a technical problem with technical solutions, and therefore
to focus on a software or tool-centric approach, generally without due consideration of the
wider organisational and personal necessity or impact thereof.
Meanwhile, practitioners focusing on the personal, organisational, and psycho-social wellbeing of HRDs must adapt to the implications of the rapid proliferation of digital tools and
ICTs as an aspect of human rights defenders’ work and personal lives.
- Towards Holistic Security for Rights Advocates, Tactical Tech

Digital Security strategies
• Basic security practice: simple things that protect against many
threats.
• Threat modeling: discover and defend against specific threats
• Recipes: how handle specific reporting situations

LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach

Two-Factor Authentication
•Something you know, plus something you have

Good Password Practice
• If you use the same password for multiple sites, your password is only as strong as
the security on the weakest site.
• Don't use a common password. Avoid words in the dictionary.
• Use two-factor authentication
• Consider passphrases, and password management tools like OnePass

Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always
read the URL after clicking a link from a message.

AP Twitter Hacked by Phishing

AP Phishing Email

The link didn’t really go to washingtonpost.com!

Read the URL Before You Click!

Spear Phishing
Selected targets, personalized messages.

Syrian Facebook phishing
Arabic text reads: "Urgent and critical..
video leaked by security forces and
thugs.. the revenge of Assad's thugs
against the free men and women of
Baba Amr in captivity and taking turns
raping one of the women in captivity by
Assad's dogs.. please spread this."

Chinese email spear-phishing
From FireEye blog post:
“In August 2015, the threat actors sent spear
phishing emails to a number of Hong Kongbased media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian
civil society organization to coincide with the
anniversary of the 2014 protests in Hong
Kong known as the Umbrella Movement. The
second email references a Hong Kong
University alumni organization that fears
votes in a referendum to appoint a ViceChancellor will be co-opted by pro-Beijing
interests”

Defending Against Phishing
•Be suspicious of generic messages
•Read the URL before you click
•Always read the URL before typing in a password
•Report suspicious links to IT security

Threat modeling
What do I want to keep private?
(Messages, locations, identities, networks...)

Who wants to know?
(story subject, governments, law enforcement, corporations...)

What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents!)

What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)

What Must Be Private?
• Which data?
– Emails and other communications
– Photos, footage, notes
– Your address book, travel itineraries, etc.

• Privacy vs. anonymity
– Encryption protects content of an email or IM
– Not the identity of sender and recipient

Who Wants to Know?
•Most of the time, the NSA is not the problem
•Your adversary could be the subject of a story, a government,
another news organization, etc.

What Can the Adversary Do?
• Technical
– Hacking, intercepting communications, code-breaking
• Legal
– Lawsuits, subpoenas, detention
• Social
– Phishing, “social engineering,” exploiting trust
• Operational
– The one time you didn’t use a secure channel
– Person you shouldn’t have told
• Physical
– Theft, installation of malware, network taps, torture

Legal threat: NYT reporter investigated

What Are You Risking?
• Security is never free
– It costs time, money, and convenience

• “How much” security do you need?
– It depends on the risk
• Blown story
• Arrested source
• Dead source

Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want to get out
of the country. Limited Internet access is available at a café.
Some of the images may identify people working with the rebels who
could be targeted by the government if their identity is revealed.

Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and talking secretly to
two whistleblowers who may give you documents.
If these sources are identified before the story comes out, at the very
least you will lose your sources.

Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You have talked
to sources including police officers and victims.
You would prefer that the police commissioner not know of your story
before it is published.

Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous sources and
journalists have been murdered.

Encryption vs. Anonymity

Encrypted message is like a sealed envelope.
Anyone can still read the address (metadata)

Data at Rest / Data in Motion

Securing Data at Rest
• How many copies are there?
– The original file might be on your phone, camera SD card, etc.
– What about backups and cloud syncing?
– Use secure erase products
• Could "they" get a copy?
– Hack into your network or computer
– Walk into your office at lunch
– Take your camera at the border
• If they had a copy, could they read it?
– Use BitLocker(Windows), FileVault (Mac), LUKS (Linux)
– Turn on device encryption for Android (iOS on by default)

File metadata

Photos, PDFs, documents all have hidden info in the file

Legal Security
In the U.S., the Privacy Protection Act prevents police from
seizing journalists’ data without a warrant... if you're the one
storing it.
Third party doctrine: if it’s in the cloud, no protection!

Surveillance Law: the U.S. situation
Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."
Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
Department of Justice manual : no, if it has been "opened"
U.S. v. Warshak, sixth circuit (2010): yes
Proposed bill in congress (Dec 2015) would require warrant
Do you need a warrant to track someone through their phone?
ACLU FOIA of 200 police departments: some say yes, some say no
U.S. v. Jones (2012), Supreme Court: can't put a GPS on someone without a warrant. But doesn't mention
the GPS in our phones.
Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.

"In the first public accounting of its kind,
cellphone carriers reported that they
responded to a startling 1.3 million
demands for subscriber information last
year from law enforcement agencies
seeking text messages, caller locations and
other information in the course of
investigations."
- Wireless Firms Are Flooded by Requests to Aid
Surveillance, New York Times, July 8 2012

Google Transparency Report

Twitter, Facebook have similar. But what about Snapchat? Sina?

Securing Data in Motion
• Where does your data physically go between source and
destination?
• Which links are encrypted?
• Tools you should know
– iMessage, Signal: secure text, calls
– CryptoCat — Easy OTR through your browser
– Tor — Anonymity
– SecureDrop — Anonymous submission
– PGP — Secure email
– OTR — Off-the-record messaging protocol

SSL
Aka, HTTPS.
Depends on a system of root certificate authorities (CAs) that
generate certificates (cryptographically sign keys) for sites that
use HTTPS.
Browsers have CA keys built in, so they can verify that a site has
a valid signed key.
Works great, except that certificate authorities can be hacked,
and we must expect that most states can easily sign a certificate
through a proxy.

Real MITM attacks

Mobile Security
• Your phone
– Is a location tracking device
– Contains all your contacts
– Is used for every form of communication
– Stores a lot of information

Tell-All Telephone (zeit.de)

Some digital security tools

iMessage
End-to-end encrypted.
Encrypted on the device.
Apple claims they do not have a
backdoor.
Ongoing court case vs. FBI

Signal (Open Whisper Systems)
Free app for iOS and Android
End-to-end encrypted chat, voice.
OWS claims server does not save your
address book.

Torproject.org

Tor Browser Bundle

The Guardian Project

Silent Circle
• Commercial service
– Secure mobile calls, video, texts
– Can hand prepaid cards to sources

Securing your computer
Really only two choices against an advanced adversary:
• Buy a new computer, never put it on any network
• Use a secure operating system like TAILS
Both approaches assume no one has tampered with the hardware (perhaps installing a hardware key
logger?)

Security = Model + Tools + Habits
There is no tool in the world that will save you from:




not protecting against the right threats
bad passwords
gullibility (phishing scams, social engineering)
misunderstanding the security model that your practice depends on.
not doing the secure thing every time.

• offline security breaches / physical coercion

From Allen Dulles' 73 Rules of Spycraft

Case study: leaked Cables
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.
Leigh downloaded the file in encrypted form from the temporary
URL.
Leigh decrypted the file and reported on the contents.
...but later, all the cables were available publicly, which is not
what either Assange or Leigh intended.

The Plan

M
Assange

password

E
E

UR
L

E

password

M
Leigh

What Assange was thinking

M

password

E
UR
L

E

E

Assange

password

M
Leigh

E

???

What Leigh was thinking

M

password

E
E

UR
L

Assange

E

password

M
Leigh

???

What actually happened
M

password

E
UR
L

E

E

password

Assange

M
Leigh

E
WL
Archiv
e

password

M

!!
!

Basic security practice, in short
Use real passwords
Understand and be alert for phishing
Know where your data is and where it goes
Keep your software up to date
Understand technical, legal, social, physical threats
Have a plan, make security a practice

Resources
Threat modeling for journalists

https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling /

Digital security training best practices, suggested curriculum
https://www.level-up.cc/about

Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php

Encryption and Operational Security for Journalists Hacks/Hackers
presentation
https://gist.github.com/vaguity/6594731
http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all