Frontiers of

Computational Journalism

Columbia Journalism School

Week 11: Privacy and Security

December 1, 2017
 This class
Digital Security Basics
Mass Surveillance and Privacy
Legal Landscape
Threat Modeling
Secure Reporting Recipes
Case Study: Leaked Cables
Digital Security Basics
 What everyone in the organization
needs to do
Passwords and 2-step login
Dont fall for phishing
Encrypt your devices
Check your social media and cloud storage permissions
LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach
 Two-Factor Authentication
Something you know, plus something you have
 Good Password Practice

Use two-factor authentication

Don't use a common password. Avoid words in the dictionary.

If you use the same password for multiple sites, your password is only
as strong as the security on the weakest site.

Consider passphrases, and password management tools like

OnePass
 Phishing
By far the most common attack. Send a message to user tricking
them into entering their password.

Typically directs users to a fake login page.

Protection: beware links that take you to a login page! Always read
the URL after clicking a link from a message.
AP Twitter Hacked by Phishing
 AP Phishing Email

The link didnt really go to washingtonpost.com!

John Podesta hacked by phishing
Syrian Facebook
phishing

Arabic text reads: "Urgent and

critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free
men and women of Baba Amr in
captivity and taking turns raping
one of the women in captivity by
Assad's dogs.. please spread
this."
Chinese email spear-
phishing
From FireEye blog post:
In August 2015, the threat actors sent
spear phishing emails to a number of Hong
Kong-based media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian
civil society organization to coincide with
the anniversary of the 2014 protests in Hong
Kong known as the Umbrella Movement.
The second email references a Hong Kong
University alumni organization that fears
votes in a referendum to appoint a Vice-
Chancellor will be co-opted by pro-Beijing
interests
Read the URL Before You Click!
 Defending Against Phishing
Be suspicious of generic messages

Read the URL before you click

Always read the URL before typing in a password

Report suspicious links to security

Laptop falls into Syrian govt.
hands, sources forced to flee
 Encrypt your storage

Turn on disk encryption! Its built in.

Use BitLocker (Windows), FileVault (Mac)
Encrypt your phone too!
Mass Surveillance and Privacy
 Background yourself on social media!

Use someone elses computer (or an Incognito window) and

research yourself. See if you can find your home address, date of
birth, or childs school.
AP source busted through
phone logs
Tell-All Telephone (zeit.de)
From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
Open Network Initiative global filtering map --
opennet.net
 SSL
Aka, HTTPS.

Depends on a system of root certificate authorities (CAs) that

generate certificates (cryptographically sign keys) for sites that use
HTTPS.

Browsers have CA keys built in, so they can verify that a site has a
valid signed key.

Works great, except that certificate authorities can be hacked,

and we must expect that most states can easily sign a certificate
through a proxy.
Real MITM attacks
Legal Landscape
 Legal Security

In the U.S., the Privacy Protection Act prevents police from seizing
journalists data without a warrant... if you're the one storing it.

Third party doctrine: if its in the cloud, no protection!

Third party doctrine in privacy law

Smith v. Maryland, Supreme Court, 1979

 Surveillance Law: the U.S. situation
Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."

Do you need a warrant to read my email (or IM, etc.)?

Electronic Communications Privacy Act (1986): Not if it's older than 180 days
U.S. v. Warshak, sixth circuit (2010): yes
Proposed Email Privacy Act (passed House April 2016): yes

Do you need a warrant to track someone through their phone?

ACLU FOIA of 200 police departments (2013): some say yes, some say no
U.S. v. Jones (2012), Supreme Court: can't put a GPS on someone without a warrant. But
doesn't mention the GPS in our phones.
18 states now require warrant (2015)

Do you need a warrant to look at the data on my phone after an arrest?

Yes. Supreme court said so in 2014, Riley vs. California.
"In the first public accounting of its
kind, cellphone carriers reported
that they responded to a startling
1.3 million demands for subscriber
information last year from law
enforcement agencies seeking text
messages, caller locations and other
information in the course of
investigations."

- Wireless Firms Are Flooded by

Requests to Aid Surveillance, New York
Times, July 8 2012
Google Transparency Report
 Facebook Transparency Report
Facebook,
Skype,
WhatsApp, etc.
can be
monitored by
parent
company.

And requested
by law
enforcement.

Pictured: Facebook
requests, Q1-Q2 2015
Threat Modeling
How to plan for a sensitive story
What do I want to keep private?
(Messages, locations, identities, networks...)

Who wants to know?

(story subject, governments, law enforcement, corporations...)

What can they do?

(eavesdrop, subpoena... or exploit security lapses and accidents!)

What happens if they succeed?

(story's blown, legal problems for a source, someone gets killed...)
 What Must Be Private?
Which data?
o Emails and other communications
o Photos, footage, notes
o Your address book, travel itineraries, etc.

Privacy vs. anonymity

o Encryption protects content of an email or IM
o Not the identity of sender and recipient
 Who Wants to Know?
Most of the time, the NSA is not the problem

Your adversary could be the subject of a story, a government,

another news organization, etc.
 What Can the Adversary Do?
Technical
o Hacking, intercepting communications, code-breaking
Legal
o Lawsuits, subpoenas, detention
Social
o Phishing, social engineering, exploiting trust
Operational
o The one time you didnt use a secure channel
o Person you shouldnt have told
Physical
o Theft, installation of malware, network taps, violence
Legal threat: NYT reporter investigated
 Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want
to get out of the country. Limited Internet access is available
at a caf.
Some of the images may identify people working with the
rebels who could be targeted by the government if their
identity is revealed.
 Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and
talking secretly to two whistleblowers who may give you
documents.
If these sources are identified before the story comes out, at
the very least you will lose your sources.
 Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You
have talked to sources including police officers and victims.
You would prefer that the police commissioner not know of
your story before it is published.
 Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous
sources and journalists have been murdered.
Secure Communication
Slack (etc.) lives forever and killed Gawker
 Text messages
Standard text messages are incredibly insecure.

Facebook, WhatsApp, WeChat, etc. are logged by the parent

company and can be subpoenaed by law enforcement.

Use iMessage or Signal.

SMS is not encrypted! The phone
company logs them, and devices
exist to read all SMS text messages
sent by nearby phones.
iMessage is very secure,
but you must turn off
Send as SMS

Correctly sent messages

are blue.
WhatsApp recently implemented
Signal protocol on all platforms. But
metadata probably still available to
Facebook, and subpoenable.
Signal is the free,
secure messaging
app.

Axlotl Ratchet
protocol provides
forward secrecy.

Android, iPhone,
Desktop.
Signal vs. Law Enforcement
 Email
Email is difficult to secure. Avoid it if you can.

Limited security if both ends of the conversation always use

Gmail, Hushmail, or ProtonMail. Still subject to subpeona.

I do not recommend PGP/GPG. Hard to get right, does not hide

metadata, no forward secrecy (old messages revealed if
someone gets your private key.)
 Phone calls
Standard phone calls leave metadata at phone company.
Who you called, when, how long you talked, where you were.

Who can access this?

Definitely law enforcement.

Sharing and Storing Data
 How many copies?
The original file might be on your phone, camera SD card, etc.

What about backups and cloud syncing? Email attachments?

Use secure erase products but there may still be traces

(temporary files, filenames in recently used lists, etc.)
 Physical data security
Who could steal your laptop?

Keep drives, papers, etc. locked up.

If someone else can access your

computer, they can install spyware.
Anonymous Sources
 Anonymous sources
Anonymity is not the same as privacy

It is much harder.

There are many ways to accidentally reveal someones identity.

The key concept is linkability between different accounts and

identifiers.
 Private but not anonymous

Encrypted message is like a sealed envelope.

Anyone can still read the address (metadata)
 Communicating with sources
So I meet employee X, and we have a cup of coffee even, and we
want to exchange contacts. And if I pull him aside and say, all right,
from now on youll call me Popeye, and heres where you
download TAILS and well set up secret, spooky accounts and
encryption, its as if I was saying, here let me have your phone
number, and by the way can you show me any recent STD tests,
and which brand of condom do you like? Its sort of who are you,
what are you talking about, I didnt agree to anything like this.

- Barton Gelman of the Washington Post, at the HOPE X conference

 The only practical answer
Dont give the source any way to communicate with you that is
not secure.

If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.

Otherwise: iMessage, WhatsApp, or Signal. But usually you add a

contact by entering a phone number, so how to prevent source
from just calling you?
Anonymous Browsing
IP address reveals location
(and often organization)

From whatismyip.com
Torproject.org
Tor Browser Bundle
 IP address in web server logs
reveals story in progress

- US vs Skelos S1 15. Cr. 317 (KMW)

Handling Leaks
 Receiving Leaks
Prevent the adversary from knowing who leaked keep the
source anonymous.

Corporate networks are monitored. Personal devices are

associated with identifying information. Most secure method for
transferring sensitive files is still a face to face meeting.

Publishing is a problem too! File metadata has blown more than

one source.
 File metadata

Word documents, PDFs, etc. all have hidden info

in the file, including author name, creation date.
Crossing Borders
 Crossing borders
Prepare to be searched. Encrypt your devices. But realize that
you may have to give up your password.

Prepare to have equipment seized. Have backups.

Best plan may be to send data home over the network.

 US Border crossing guide
EFFs Digital Privacy at the US Border: Protecting Data on Your
Devices and in the Cloud
https://www.eff.org/wp/digital-privacy-us-border-2017
Case Study: Leaked Cables
 How the leak was leaked
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.

Leigh downloaded the file in encrypted form from the

temporary URL.

Leigh decrypted the file and reported on the contents.

...but later, all the cables were available publicly, which is

not what either Assange or Leigh intended.
 The Plan

E
password E UR E password M
M
L
Assange Leigh
 What Assange was thinking

E
password E UR E password M
M
L
Assange Leigh

E ???
 What Leigh was thinking

E
password E UR E password M
M
L
Assange Leigh

???
 What actually happened
E
password E UR E password M
M
L
Assange Leigh

E
WL password
Archi
ve

M !!!
Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices.
Know what social media reveals.

Use threat modeling to make a plan for your story. Know what you are
protecting from whom. Integrate digital with physical, legal, operational
security.

Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure

channel from the start.

Source anonymity requires extensive planning, both online and offline.

Know exactly what data is sensitive, how many copies there are, and where.
 Some resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php

Threat modeling in detail

https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/

Digital Security and Source Protection for Journalists

http://susanemcgregor.com/digital-security/