Академический Документы
Профессиональный Документы
Культура Документы
Computational Journalism
Columbia Journalism School
Week 11: Privacy and Security
December 2, 2016
This class
Commitments to sources
Physical safety
Legal concerns
Our ability to operate
Our reputation
Holistic security
(What digital security isnt)
The predominant digital security discourse takes little or no heed of the elements of
personal, organisational or psychological security inherent to the establishment of an
effective and cohesive security strategies.
The tendency, aggravated by time constraints and necessary technical skill-building,
has been to treat digital security as a technical problem with technical solutions, and
therefore to focus on a software or tool-centric approach, generally without due
consideration of the wider organisational and personal necessity or impact thereof.
Meanwhile, practitioners focusing on the personal, organisational, and psycho-social
well-being of HRDs must adapt to the implications of the rapid proliferation of digital
tools and ICTs as an aspect of human rights defenders work and personal lives.
- Towards Holistic Security for Rights Advocates, Tactical Tech
LinkedIn
from June 2012 breach
Gawker
from Dec 2010 breach
Two-Factor Authentication
Something you know, plus something you have
If you use the same password for multiple sites, your password is only
as strong as the security on the weakest site.
Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always read
the URL after clicking a link from a message.
AP Phishing Email
Spear Phishing
Selected targets, personalized messages.
Syrian Facebook
phishing
Arabic text reads: "Urgent and
critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free
men and women of Baba Amr in
captivity and taking turns raping
one of the women in captivity by
Assad's dogs.. please spread
this."
SSL
Aka, HTTPS.
Depends on a system of root certificate authorities (CAs) that
generate certificates (cryptographically sign keys) for sites that use
HTTPS.
Browsers have CA keys built in, so they can verify that a site has a
valid signed key.
Works great, except that certificate authorities can be hacked,
and we must expect that most states can easily sign a certificate
through a proxy.
Legal Landscape
Legal Security
In the U.S., the Privacy Protection Act prevents police from seizing
journalists data without a warrant... if you're the one storing it.
Third party doctrine: if its in the cloud, no protection!
Threat Modeling
Threat modeling
What do I want to keep private?
(Messages, locations, identities, networks...)
Technical
o Hacking, intercepting communications, code-breaking
Legal
o Lawsuits, subpoenas, detention
Social
o Phishing, social engineering, exploiting trust
Operational
o The one time you didnt use a secure channel
o Person you shouldnt have told
Physical
o Theft, installation of malware, network taps, torture
Reporting Recipes
Text messages
Standard text messages are incredibly insecure.
Facebook, WhatsApp, WeChat, etc. are logged by the parent
company and can be subpoenaed by law enforcement.
Use iMessage or Signal.
Email
Email is difficult to secure. Avoid it if you can.
Limited security if both ends of the conversation always use
Gmail, Hushmail, or ProtonMail. Still subject to subpeona.
I do not recommend PGP/GPG. Hard to get right, does not hide
metadata, no forward secrecy.
Phone calls
Standard phone calls leave metadata at phone company.
Who you called, when, how long you talked, where you were.
Who can access this?
Definitely law enforcement.
Facebook,
Skype, WhatsApp,
etc. can be
monitored by
parent company.
And requested by
law enforcement.
Pictured: Facebook
requests, Q1-Q2 2015
Anonymous sources
Anonymity is not the same as privacy
It is much harder.
There are many ways to accidentally reveal someones identity.
From whatismyip.com
Torproject.org
File metadata
Sharing files
Do not share sensitive files by email.
PLEASE do not share sensitive files by email?
Google Drive, Dropbox, etc. are okay unless someone gets a
court order.
If youre on Mac or iPhone, share through Messages.
Crossing borders
Prepare to be searched. Encrypt your devices.
Prepare to have equipment seized. Have backups.
Best plan may be to send data home over the network.
Geo-tagged posts
Location metadata
The Plan
M
Assange
password E
E
UR
L
password M
Leigh
password E
UR
L
Assange
password M
Leigh
???
password E
E
UR
L
Assange
password M
Leigh
???
password E
UR
L
password M
Assange
Leigh
E
WL
Archi
ve
password
!!!
Some resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php