Frontiers of

Computational Journalism

Columbia Journalism School
Week 11: Privacy and Security

December 1, 2017
This class
• Digital Security Basics
• Mass Surveillance and Privacy
• Legal Landscape
• Threat Modeling
• Secure Reporting Recipes
• Case Study: Leaked Cables
Digital Security Basics
What everyone in the organization
needs to do
• Passwords and 2-step login
• Don’t fall for phishing
• Encrypt your devices
• Check your social media and cloud storage permissions
LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach
Two-Factor Authentication
Something you know, plus something you have
Good Password Practice

• Use two-factor authentication

• Don't use a common password. Avoid words in the dictionary.

• If you use the same password for multiple sites, your password is only
as strong as the security on the weakest site.

• Consider passphrases, and password management tools like
OnePass
Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.

Typically directs users to a fake login page.

Protection: beware links that take you to a login page! Always read
the URL after clicking a link from a message.
AP Twitter Hacked by Phishing
AP Phishing Email

The link didn’t really go to washingtonpost.com!
John Podesta “hacked” by phishing
Syrian Facebook
phishing

Arabic text reads: "Urgent and
critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free
men and women of Baba Amr in
captivity and taking turns raping
one of the women in captivity by
Assad's dogs.. please spread
this."
Chinese email spear-
phishing
From FireEye blog post:
“In August 2015, the threat actors sent
spear phishing emails to a number of Hong
Kong-based media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian
civil society organization to coincide with
the anniversary of the 2014 protests in Hong
Kong known as the Umbrella Movement.
The second email references a Hong Kong
University alumni organization that fears
votes in a referendum to appoint a Vice-
Chancellor will be co-opted by pro-Beijing
interests”
Read the URL Before You Click!
Defending Against Phishing
•Be suspicious of generic messages

•Read the URL before you click

•Always read the URL before typing in a password

•Report suspicious links to security
Laptop falls into Syrian govt.
hands, sources forced to flee
Encrypt your storage

Turn on disk encryption! It’s built in.
Use BitLocker (Windows), FileVault (Mac)
Encrypt your phone too!
Mass Surveillance and Privacy
Background yourself on social media!

Use someone else’s computer (or an Incognito window) and
research yourself. See if you can find your home address, date of
birth, or child’s school.
AP source busted through
phone logs
Tell-All Telephone (zeit.de)
From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
Open Network Initiative global filtering map --
opennet.net
SSL
Aka, HTTPS.

Depends on a system of root certificate authorities (CAs) that
generate certificates (cryptographically sign keys) for sites that use
HTTPS.

Browsers have CA keys built in, so they can verify that a site has a
valid signed key.

Works great, except that certificate authorities can be hacked,
and we must expect that most states can easily sign a certificate
through a proxy.
Real MITM attacks
Legal Landscape
Legal Security

In the U.S., the Privacy Protection Act prevents police from seizing
journalists’ data without a warrant... if you're the one storing it.

Third party doctrine: if it’s in the cloud, no protection!
Third party doctrine in privacy law

Smith v. Maryland, Supreme Court, 1979
Surveillance Law: the U.S. situation
Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."

Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
U.S. v. Warshak, sixth circuit (2010): yes
Proposed Email Privacy Act (passed House April 2016): yes

Do you need a warrant to track someone through their phone?
ACLU FOIA of 200 police departments (2013): some say yes, some say no
U.S. v. Jones (2012), Supreme Court: can't put a GPS on someone without a warrant. But
doesn't mention the GPS in our phones.
18 states now require warrant (2015)

Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.
"In the first public accounting of its
kind, cellphone carriers reported
that they responded to a startling
1.3 million demands for subscriber
information last year from law
enforcement agencies seeking text
messages, caller locations and other
information in the course of
investigations."

- Wireless Firms Are Flooded by
Requests to Aid Surveillance, New York
Times, July 8 2012
Google Transparency Report
Facebook Transparency Report
Facebook,
Skype,
WhatsApp, etc.
can be
monitored by
parent
company.

And requested
by law
enforcement.

Pictured: Facebook
requests, Q1-Q2 2015
Threat Modeling
How to plan for a sensitive story
What do I want to keep private?
(Messages, locations, identities, networks...)

Who wants to know?
(story subject, governments, law enforcement, corporations...)

What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents!)

What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)
What Must Be Private?
• Which data?
o Emails and other communications
o Photos, footage, notes
o Your address book, travel itineraries, etc.

• Privacy vs. anonymity
o Encryption protects content of an email or IM
o Not the identity of sender and recipient
Who Wants to Know?
Most of the time, the NSA is not the problem

Your adversary could be the subject of a story, a government,
another news organization, etc.
What Can the Adversary Do?
• Technical
o Hacking, intercepting communications, code-breaking
• Legal
o Lawsuits, subpoenas, detention
• Social
o Phishing, “social engineering,” exploiting trust
• Operational
o The one time you didn’t use a secure channel
o Person you shouldn’t have told
• Physical
o Theft, installation of malware, network taps, violence
Legal threat: NYT reporter investigated
Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want
to get out of the country. Limited Internet access is available
at a café.
Some of the images may identify people working with the
rebels who could be targeted by the government if their
identity is revealed.
Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and
talking secretly to two whistleblowers who may give you
documents.
If these sources are identified before the story comes out, at
the very least you will lose your sources.
Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You
have talked to sources including police officers and victims.
You would prefer that the police commissioner not know of
your story before it is published.
Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous
sources and journalists have been murdered.
Secure Communication
Slack (etc.) lives forever – and killed Gawker
Text messages
Standard text messages are incredibly insecure.

Facebook, WhatsApp, WeChat, etc. are logged by the parent
company – and can be subpoenaed by law enforcement.

Use iMessage or Signal.
SMS is not encrypted! The phone
company logs them, and devices
exist to read all SMS text messages
sent by nearby phones.
iMessage is very secure,
but you must turn off
“Send as SMS”

Correctly sent messages
are blue.
WhatsApp recently implemented
Signal protocol on all platforms. But
metadata probably still available to
Facebook, and subpoenable.
Signal is the free,
secure messaging
app.

Axlotl Ratchet
protocol provides
forward secrecy.

Android, iPhone,
Desktop.
Signal vs. Law Enforcement
Email
Email is difficult to secure. Avoid it if you can.

Limited security if both ends of the conversation always use
Gmail, Hushmail, or ProtonMail. Still subject to subpeona.

I do not recommend PGP/GPG. Hard to get right, does not hide
metadata, no forward secrecy (old messages revealed if
someone gets your private key.)
Phone calls
Standard phone calls leave “metadata” at phone company.
Who you called, when, how long you talked, where you were.

Who can access this?

Definitely law enforcement.
Sharing and Storing Data
How many copies?
The original file might be on your phone, camera SD card, etc.

What about backups and cloud syncing? Email attachments?

Use secure erase products – but there may still be traces
(temporary files, filenames in “recently used” lists, etc.)
Physical data security
Who could steal your laptop?

Keep drives, papers, etc. locked up.

If someone else can access your
computer, they can install spyware.
Anonymous Sources
Anonymous sources
Anonymity is not the same as privacy

It is much harder.

There are many ways to accidentally reveal someone’s identity.

The key concept is “linkability” between different accounts and
identifiers.
Private but not anonymous

Encrypted message is like a sealed envelope.
Anyone can still read the address (metadata)
Communicating with sources
“So I meet employee X, and we have a cup of coffee even, and we
want to exchange contacts. And if I pull him aside and say, all right,
from now on you’ll call me “Popeye”, and here’s where you
download TAILS and we’ll set up secret, spooky accounts and
encryption, it’s as if I was saying, here let me have your phone
number, and by the way can you show me any recent STD tests,
and which brand of condom do you like? It’s sort of who are you,
what are you talking about, I didn’t agree to anything like this.”

- Barton Gelman of the Washington Post, at the HOPE X conference
The only practical answer
Don’t give the source any way to communicate with you that is
not secure.

If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.

Otherwise: iMessage, WhatsApp, or Signal. But usually you add a
contact by entering a phone number, so how to prevent source
from just calling you?
Anonymous Browsing
IP address reveals location
(and often organization)

From whatismyip.com
Torproject.org
Tor Browser Bundle
IP address in web server logs
reveals story in progress

- US vs Skelos S1 15. Cr. 317 (KMW)
Handling Leaks
Receiving Leaks
Prevent the adversary from knowing who leaked – keep the
source anonymous.

Corporate networks are monitored. Personal devices are
associated with identifying information. Most secure method for
transferring sensitive files is still a face to face meeting.

Publishing is a problem too! File metadata has blown more than
one source.
File metadata

Word documents, PDFs, etc. all have hidden info
in the file, including author name, creation date.
Crossing Borders
Crossing borders
Prepare to be searched. Encrypt your devices. But realize that
you may have to give up your password.

Prepare to have equipment seized. Have backups.

Best plan may be to send data home over the network.
US Border crossing guide
EFF’s “Digital Privacy at the US Border: Protecting Data on Your
Devices and in the Cloud”
https://www.eff.org/wp/digital-privacy-us-border-2017
Case Study: Leaked Cables
How the leak was leaked
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.

Leigh downloaded the file in encrypted form from the
temporary URL.

Leigh decrypted the file and reported on the contents.

...but later, all the cables were available publicly, which is
not what either Assange or Leigh intended.
The Plan

E
password E UR E password M
M
L
Assange Leigh
What Assange was thinking

E
password E UR E password M
M
L
Assange Leigh

E ???
What Leigh was thinking

E
password E UR E password M
M
L
Assange Leigh

???
What actually happened
E
password E UR E password M
M
L
Assange Leigh

E
WL password
Archi
ve

M !!!
Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices.
Know what social media reveals.

Use threat modeling to make a plan for your story. Know what you are
protecting from whom. Integrate digital with physical, legal, operational
security.

Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure
channel from the start.

Source anonymity requires extensive planning, both online and offline.

Know exactly what data is sensitive, how many copies there are, and where.
Some resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php

Threat modeling in detail
https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/

Digital Security and Source Protection for Journalists
http://susanemcgregor.com/digital-security/