Frontiers of

Computational Journalism
Columbia Journalism School
Week 11: Privacy and Security
December 2, 2016

This class






Digital Security Basics
Mass Surveillance and Privacy
Legal Landscape
Reporting Recipes
Threat Modeling
Methods, Tools, Habits
Case Study: Leaked Cables

Laptop falls into Syrian govt.
hands, sources forced to flee

AP source busted through
phone logs

What Are We Protecting?




Commitments to sources
Physical safety
Legal concerns
Our ability to operate
Our reputation

Holistic security
(What “digital security” isn’t)
The predominant digital security discourse takes little or no heed of the elements of
personal, organisational or psychological security inherent to the establishment of an
effective and cohesive security strategies.
The tendency, aggravated by time constraints and necessary technical skill-building,
has been to treat digital security as a technical problem with technical solutions, and
therefore to focus on a software or tool-centric approach, generally without due
consideration of the wider organisational and personal necessity or impact thereof.
Meanwhile, practitioners focusing on the personal, organisational, and psycho-social
well-being of HRDs must adapt to the implications of the rapid proliferation of digital
tools and ICTs as an aspect of human rights defenders’ work and personal lives.
- Towards Holistic Security for Rights Advocates, Tactical Tech

Digital Security Basics

Digital Security Basics


Passwords and 2-step login
Don’t fall for phishing
Encrypt your devices

LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach

Two-Factor Authentication
Something you know, plus something you have

Good Password Practice

If you use the same password for multiple sites, your password is only
as strong as the security on the weakest site.

Don't use a common password. Avoid words in the dictionary.

Use two-factor authentication

Consider passphrases, and password management tools like
OnePass

Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always read
the URL after clicking a link from a message.

AP Twitter Hacked by Phishing

AP Phishing Email

The link didn’t really go to washingtonpost.com!

Read the URL Before You Click!

Spear Phishing
Selected targets, personalized messages.

Syrian Facebook
phishing
Arabic text reads: "Urgent and
critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free
men and women of Baba Amr in
captivity and taking turns raping
one of the women in captivity by
Assad's dogs.. please spread
this."

Chinese email spearphishing
From FireEye blog post:
“In August 2015, the threat actors sent
spear phishing emails to a number of Hong
Kong-based media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian
civil society organization to coincide with
the anniversary of the 2014 protests in Hong
Kong known as the Umbrella Movement.
The second email references a Hong Kong
University alumni organization that fears
votes in a referendum to appoint a ViceChancellor will be co-opted by pro-Beijing
interests”

Defending Against Phishing
•Be suspicious of generic messages
•If it seems too good to be true, it probably is.
•Read the URL before you click
•Always read the URL before typing in a password
•Report suspicious links to IT security

Encrypt your storage

Turn on disk encryption! It’s built in.
Use BitLocker (Windows), FileVault (Mac)
Encrypt your phone too!

Mass Surveillance and Privacy

Know what social media reveals:
background yourself!

Use someone else’s computer (or an Incognito window) and
research yourself. See if you can find your home address, date of
birth, or child’s school.

Social media privacy settings

Have you thought about how you want to use Facebook?

Tell-All Telephone (zeit.de)

From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010

Open Network Initiative global filtering map -opennet.net

SSL
Aka, HTTPS.
Depends on a system of root certificate authorities (CAs) that
generate certificates (cryptographically sign keys) for sites that use
HTTPS.
Browsers have CA keys built in, so they can verify that a site has a
valid signed key.
Works great, except that certificate authorities can be hacked,
and we must expect that most states can easily sign a certificate
through a proxy.

Real MITM attacks

Legal Landscape

Legal Security
In the U.S., the Privacy Protection Act prevents police from seizing
journalists’ data without a warrant... if you're the one storing it.
Third party doctrine: if it’s in the cloud, no protection!

Surveillance Law: the U.S. situation

Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."

Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
U.S. v. Warshak, sixth circuit (2010): yes
Proposed Email Privacy Act (passed House April 2016): yes
Do you need a warrant to track someone through their phone?
ACLU FOIA of 200 police departments (2013): some say yes, some say no
U.S. v. Jones (2012), Supreme Court: can't put a GPS on someone without a warrant. But
doesn't mention the GPS in our phones.
18 states now require warrant (2015)
Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.

"In the first public accounting of its
kind, cellphone carriers reported
that they responded to a startling
1.3 million demands for subscriber
information last year from law
enforcement agencies seeking text
messages, caller locations and other
information in the course of
investigations."
- Wireless Firms Are Flooded by
Requests to Aid Surveillance, New York
Times, July 8 2012

Google Transparency Report

Twitter, Facebook have similar. But what about Snapchat? Sina?

Threat Modeling

Threat modeling
What do I want to keep private?
(Messages, locations, identities, networks...)

Who wants to know?
(story subject, governments, law enforcement, corporations...)

What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents!)

What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)

What Must Be Private?
• Which data?
o Emails and other communications
o Photos, footage, notes
o Your address book, travel itineraries, etc.

• Privacy vs. anonymity
o Encryption protects content of an email or IM
o Not the identity of sender and recipient

Who Wants to Know?
Most of the time, the NSA is not the problem
Your adversary could be the subject of a story, a government,
another news organization, etc.

What Can the Adversary Do?



Technical
o Hacking, intercepting communications, code-breaking
Legal
o Lawsuits, subpoenas, detention
Social
o Phishing, “social engineering,” exploiting trust
Operational
o The one time you didn’t use a secure channel
o Person you shouldn’t have told
Physical
o Theft, installation of malware, network taps, torture

Legal threat: NYT reporter investigated

What Are You Risking?
• Security is never free
o It costs time, money, and convenience

• “How much” security do you need?
o It depends on the risk
• Blown story
• Arrested source
• Dead source

Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want
to get out of the country. Limited Internet access is available
at a café.
Some of the images may identify people working with the
rebels who could be targeted by the government if their
identity is revealed.

Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and
talking secretly to two whistleblowers who may give you
documents.
If these sources are identified before the story comes out, at
the very least you will lose your sources.

Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You
have talked to sources including police officers and victims.
You would prefer that the police commissioner not know of
your story before it is published.

Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous
sources and journalists have been murdered.

Reporting Recipes

Text messages
Standard text messages are incredibly insecure.
Facebook, WhatsApp, WeChat, etc. are logged by the parent
company – and can be subpoenaed by law enforcement.
Use iMessage or Signal.

SMS is not encrypted! The phone
company logs them, and devices
exist to read all SMS text messages
sent by nearby phones.

iMessage is very secure,
but you must turn off
“Send as SMS”
Correctly sent messages
are blue.

WhatsApp recently implemented
Signal protocol on all platforms. But
metadata probably still available to
Facebook, and subpoenable.

Signal is the free,
secure messaging
app.
Axlotl Ratchet
protocol provides
forward secrecy.
Android, iPhone,
Desktop.

Crypto.cat — secure communication in
your browser

Email
Email is difficult to secure. Avoid it if you can.
Limited security if both ends of the conversation always use
Gmail, Hushmail, or ProtonMail. Still subject to subpeona.
I do not recommend PGP/GPG. Hard to get right, does not hide
metadata, no forward secrecy.

Phone calls
Standard phone calls leave “metadata” at phone company.
Who you called, when, how long you talked, where you were.
Who can access this?
Definitely law enforcement.

Phone records get a source busted
“The AP phone records were sought after interviews of more than
550 people turned up insufficient evidence of who leaked the
information about the Al Qaeda of the Arabian Peninsula plot,
officials said.

Only after the AP phone records pointed to Sachtleben as a
suspect in the leak was the computer checked for classified
information, setting in motion the leak charges, the official
added.”
- Ex-FBI agent admits to AP leak, Politico, 9/23/13

Facebook,
Skype, WhatsApp,
etc. can be
monitored by
parent company.
And requested by
law enforcement.
Pictured: Facebook
requests, Q1-Q2 2015

Signal app once again!

Communicating with sources
“So I meet employee X, and we have a cup of coffee even, and we
want to exchange contacts. And if I pull him aside and say, all right,
from now on you’ll call me “Popeye”, and here’s where you
download TAILS and we’ll set up secret, spooky accounts and
encryption, it’s as if I was saying, here let me have your phone
number, and by the way can you show me any recent STD tests,
and which brand of condom do you like? It’s sort of who are you,
what are you talking about, I didn’t agree to anything like this.”
- Barton Gelman of the Washington Post, at the HOPE X conference

The only practical answer
Don’t give the source any way to communicate with you that is
not secure.
If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.
Otherwise: iMessage, WhatsApp, or Signal. But usually you add a
contact by entering a phone number, so how to prevent source
from just calling you?

Anonymous sources
Anonymity is not the same as privacy
It is much harder.
There are many ways to accidentally reveal someone’s identity.

Private but not anonymous

Encrypted message is like a sealed envelope.
Anyone can still read the address (metadata)

IP address reveals location

From whatismyip.com

Torproject.org

Tor Browser Bundle

Corporate networks are monitored

File metadata

Word documents, PDFs, etc. all have hidden info
in the file, including author name, creation date.

Sharing files
Do not share sensitive files by email.
PLEASE do not share sensitive files by email?
Google Drive, Dropbox, etc. are okay… unless someone gets a
court order.
If you’re on Mac or iPhone, share through Messages.

How many copies?
The original file might be on your phone, camera SD card, etc.
What about backups and cloud syncing? Email attachments?
Use secure erase products – but there may still be traces
(temporary files, filenames in “recently used” lists, etc.)

Encrypt your storage
Really…
Phones and USB sticks too.
On by default for iPhone,
turn it on in Android.

Physical data security
Who could steal your laptop?
Keep drives, papers, etc. locked up.
If someone else can access your
computer, they can install spyware.

Crossing borders
Prepare to be searched. Encrypt your devices.
Prepare to have equipment seized. Have backups.
Best plan may be to send data home over the network.

Protecting your location
Social media posts are often geo-tagged.
Phones are security disaster. Your location is continuously
recorded.
Phones and cameras often save GPS coordinates in the photo
file.

Tell-All Telephone (zeit.de)

Geo-tagged posts

Get familiar with location settings

Location metadata

Many phones and cameras store time and location in image
files (EXIF data). There are online tools to check and edit.

Security = Model + Tools + Habits
There is no tool in the world that will save you from:
not protecting against the right threats
bad passwords
gullibility (phishing scams, social engineering)
misunderstanding the security model that your practice
depends on.
• not doing the secure thing every time.



• offline security breaches / physical coercion

From Allen Dulles' 73 Rules of Spycraft

Case Study: Leaked Cables

How the leak was leaked
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.
Leigh downloaded the file in encrypted form from the
temporary URL.
Leigh decrypted the file and reported on the contents.
...but later, all the cables were available publicly, which is
not what either Assange or Leigh intended.

The Plan
M
Assange

password E

E
UR
L

E

password M
Leigh

What Assange was thinking
M

E

password E

UR
L

E

Assange

password M
Leigh

E

???

What Leigh was thinking
M

password E

E
UR
L

Assange

E

password M
Leigh

???

What actually happened
M

E

password E

UR
L

E

password M

Assange

Leigh
E
WL
Archi
ve

password

M

!!!

Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices.
Know what social media reveals.
Use threat modeling to make a plan for your story. Know what you are
protecting from whom. Integrate digital with physical, legal, operational
security.
Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure
channel from the start.
Source anonymity requires extensive planning, both online and offline.
Know exactly what data is sensitive, how many copies there are, and where.

Some resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php

Threat modeling in detail
https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/

Digital Security and Source Protection for Journalists
http://susanemcgregor.com/digital-security/

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.