Frontiers

of
Computational Journalism
Columbia Journalism School
Week 12: Privacy and Security
December 11, 2015

Laptop falls into Syrian govt. hands,

sources forced to flee

AP source busted through phone logs

.
.
.

Open Network Initiative global filtering map -- opennet.net

From Protecting Consumer Privacy in an Era of Rapid Change, FTC,

Journalism Security Disasters

Hacked accounts and sites
AP
Washington Post, New York Times,
etc.

Sources exposed
Vice reveals John McAfees location
AP phone records subpoena
Filmmakers laptop seized in Syria

What Are We Protecting?

Commitments to sources
Physical safety
Legal concerns
Our ability to operate
Our reputation

Holistic security (What digital security isnt)

The predominant digital security discourse takes little or no heed of the elements of
personal, organisational or psychological security inherent to the establishment of an
effective and cohesive security strategies.
The tendency, aggravated by time constraints and necessary technical skill-building, has
been to treat digital security as a technical problem with technical solutions, and therefore
to focus on a software or tool-centric approach, generally without due consideration of the
wider organisational and personal necessity or impact thereof.
Meanwhile, practitioners focusing on the personal, organisational, and psycho-social wellbeing of HRDs must adapt to the implications of the rapid proliferation of digital tools and
ICTs as an aspect of human rights defenders work and personal lives.
- Towards Holistic Security for Rights Advocates, Tactical Tech

Digital Security strategies

Basic security practice: simple things that protect against many
threats.
Threat modeling: discover and defend against specific threats
Recipes: how handle specific reporting situations

LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach

Two-Factor Authentication
Something you know, plus something you have

Good Password Practice

If you use the same password for multiple sites, your password is only as strong as
the security on the weakest site.
Don't use a common password. Avoid words in the dictionary.
Use two-factor authentication
Consider passphrases, and password management tools like OnePass

Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always
read the URL after clicking a link from a message.

AP Twitter Hacked by Phishing

AP Phishing Email

The link didnt really go to washingtonpost.com!

Read the URL Before You Click!

Spear Phishing
Selected targets, personalized messages.

Syrian Facebook phishing

Arabic text reads: "Urgent and critical..
video leaked by security forces and
thugs.. the revenge of Assad's thugs
against the free men and women of
Baba Amr in captivity and taking turns
raping one of the women in captivity by
Assad's dogs.. please spread this."

Chinese email spear-phishing

From FireEye blog post:
In August 2015, the threat actors sent spear
phishing emails to a number of Hong Kongbased media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian
civil society organization to coincide with the
anniversary of the 2014 protests in Hong
Kong known as the Umbrella Movement. The
second email references a Hong Kong
University alumni organization that fears
votes in a referendum to appoint a ViceChancellor will be co-opted by pro-Beijing
interests

Defending Against Phishing

Be suspicious of generic messages
Read the URL before you click
Always read the URL before typing in a password
Report suspicious links to IT security

Threat modeling
What do I want to keep private?
(Messages, locations, identities, networks...)

Who wants to know?

(story subject, governments, law enforcement, corporations...)

What can they do?

(eavesdrop, subpoena... or exploit security lapses and accidents!)

What happens if they succeed?

(story's blown, legal problems for a source, someone gets killed...)

What Must Be Private?

Which data?
Emails and other communications
Photos, footage, notes
Your address book, travel itineraries, etc.

Privacy vs. anonymity

Encryption protects content of an email or IM
Not the identity of sender and recipient

Who Wants to Know?

Most of the time, the NSA is not the problem
Your adversary could be the subject of a story, a government,
another news organization, etc.

What Can the Adversary Do?

Technical
Hacking, intercepting communications, code-breaking
Legal
Lawsuits, subpoenas, detention
Social
Phishing, social engineering, exploiting trust
Operational
The one time you didnt use a secure channel
Person you shouldnt have told
Physical
Theft, installation of malware, network taps, torture

Legal threat: NYT reporter investigated

What Are You Risking?

Security is never free
It costs time, money, and convenience

How much security do you need?

It depends on the risk
Blown story
Arrested source
Dead source

Threat Modeling Scenario #1

You are a photojournalist in Syria with digital images you want to get out
of the country. Limited Internet access is available at a caf.
Some of the images may identify people working with the rebels who
could be targeted by the government if their identity is revealed.

Threat Modeling Scenario #2

You are reporting on insider trading at a large bank and talking secretly to
two whistleblowers who may give you documents.
If these sources are identified before the story comes out, at the very
least you will lose your sources.

Threat Modeling Scenario #3

You are reporting a story about local police misconduct. You have talked
to sources including police officers and victims.
You would prefer that the police commissioner not know of your story
before it is published.

Threat Modeling Scenario #4

You are reporting on drug cartels in Central America. Previous sources and
journalists have been murdered.

Encryption vs. Anonymity

Encrypted message is like a sealed envelope.

Anyone can still read the address (metadata)

Data at Rest / Data in Motion

Securing Data at Rest

How many copies are there?
The original file might be on your phone, camera SD card, etc.
What about backups and cloud syncing?
Use secure erase products
Could "they" get a copy?
Hack into your network or computer
Walk into your office at lunch
Take your camera at the border
If they had a copy, could they read it?
Use BitLocker(Windows), FileVault (Mac), LUKS (Linux)
Turn on device encryption for Android (iOS on by default)

File metadata

Photos, PDFs, documents all have hidden info in the file

Legal Security
In the U.S., the Privacy Protection Act prevents police from
seizing journalists data without a warrant... if you're the one
storing it.
Third party doctrine: if its in the cloud, no protection!

Surveillance Law: the U.S. situation

Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."
Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
Department of Justice manual : no, if it has been "opened"
U.S. v. Warshak, sixth circuit (2010): yes
Proposed bill in congress (Dec 2015) would require warrant
Do you need a warrant to track someone through their phone?
ACLU FOIA of 200 police departments: some say yes, some say no
U.S. v. Jones (2012), Supreme Court: can't put a GPS on someone without a warrant. But doesn't mention
the GPS in our phones.
Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.

"In the first public accounting of its kind,

cellphone carriers reported that they
responded to a startling 1.3 million
demands for subscriber information last
year from law enforcement agencies
seeking text messages, caller locations and
other information in the course of
investigations."
- Wireless Firms Are Flooded by Requests to Aid
Surveillance, New York Times, July 8 2012

Google Transparency Report

Twitter, Facebook have similar. But what about Snapchat? Sina?

Securing Data in Motion

Where does your data physically go between source and
destination?
Which links are encrypted?
Tools you should know
iMessage, Signal: secure text, calls
CryptoCat Easy OTR through your browser
Tor Anonymity
SecureDrop Anonymous submission
PGP Secure email
OTR Off-the-record messaging protocol

SSL
Aka, HTTPS.
Depends on a system of root certificate authorities (CAs) that
generate certificates (cryptographically sign keys) for sites that
use HTTPS.
Browsers have CA keys built in, so they can verify that a site has
a valid signed key.
Works great, except that certificate authorities can be hacked,
and we must expect that most states can easily sign a certificate
through a proxy.

Real MITM attacks

Mobile Security
Your phone
Is a location tracking device
Contains all your contacts
Is used for every form of communication
Stores a lot of information

Tell-All Telephone (zeit.de)

Some digital security tools

iMessage
End-to-end encrypted.
Encrypted on the device.
Apple claims they do not have a
backdoor.
Ongoing court case vs. FBI

Signal (Open Whisper Systems)

Free app for iOS and Android
End-to-end encrypted chat, voice.
OWS claims server does not save your
address book.

Torproject.org

Tor Browser Bundle

The Guardian Project

Silent Circle
Commercial service
Secure mobile calls, video, texts
Can hand prepaid cards to sources

Securing your computer

Really only two choices against an advanced adversary:
Buy a new computer, never put it on any network
Use a secure operating system like TAILS
Both approaches assume no one has tampered with the hardware (perhaps installing a hardware key
logger?)

Security = Model + Tools + Habits

There is no tool in the world that will save you from:

not protecting against the right threats

bad passwords
gullibility (phishing scams, social engineering)
misunderstanding the security model that your practice depends on.
not doing the secure thing every time.

offline security breaches / physical coercion

From Allen Dulles' 73 Rules of Spycraft

Case study: leaked Cables

Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.
Leigh downloaded the file in encrypted form from the temporary
URL.
Leigh decrypted the file and reported on the contents.
...but later, all the cables were available publicly, which is not
what either Assange or Leigh intended.

The Plan

M
Assange

password

E
E

UR
L

password

M
Leigh

What Assange was thinking

password

E
UR
L

Assange

password

M
Leigh

???

What Leigh was thinking

password

E
E

UR
L

Assange

password

M
Leigh

???

What actually happened

M

password

E
UR
L

password

Assange

M
Leigh

E
WL
Archiv
e

password

!!
!

Basic security practice, in short

Use real passwords
Understand and be alert for phishing
Know where your data is and where it goes
Keep your software up to date
Understand technical, legal, social, physical threats
Have a plan, make security a practice

Resources
Threat modeling for journalists

https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling /

Digital security training best practices, suggested curriculum

https://www.level-up.cc/about

Committee to Protect Journalists information security guide

http://www.cpj.org/reports/2012/04/information-security.php

Encryption and Operational Security for Journalists Hacks/Hackers

presentation
https://gist.github.com/vaguity/6594731
http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all