What everyone in the organization
needs to do
• Passwords and 2-step login
• Don’t fall for phishing
• Encrypt your devices
• Check your social media and cloud storage permissions
from June 2012 breach
from Dec 2010 breach
Something you know, plus something you have
Good Password Practice
• Use two-factor authentication
• Don't use a common password. Avoid words in the dictionary.
• If you use the same password for multiple sites, your password is only as
strong as the security on the weakest site.
• Consider passphrases, and password management tools like OnePass
By far the most common attack. Send a message to user tricking them into
entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always read the
URL after clicking a link from a message.
Arabic text reads: "Urgent and
critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free men
and women of Baba Amr in captivity
and taking turns raping one of the
women in captivity by Assad's dogs..
please spread this."
Chinese email spear-phishing
From FireEye blog post:
“In August 2015, the threat actors sent spear
phishing emails to a number of Hong Kong-
based media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian civil
society organization to coincide with the
anniversary of the 2014 protests in Hong Kong
known as the Umbrella Movement. The second
email references a Hong Kong University
alumni organization that fears votes in a
referendum to appoint a Vice-Chancellor will be
co-opted by pro-Beijing interests”
From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
Open Network Initiative global filtering map -- opennet.net
Depends on a system of root certificate authorities (CAs) that generate
certificates (cryptographically sign keys) for sites that use HTTPS.
Browsers have CA keys built in, so they can verify that a site has a valid
Works great, except that certificate authorities can be hacked, and we
must expect that most states can easily sign a certificate through a proxy.
In the U.S., the Privacy Protection Act prevents police from seizing
journalists’ data without a warrant... if you're the one storing it.
Third party doctrine: if it’s in the cloud, no protection!
Third party doctrine in privacy law
Smith v. Maryland, Supreme Court, 1979
Surveillance Law: the U.S. situation
Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."
Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
U.S. v. Warshak, sixth circuit (2010): yes
Proposed Email Privacy Act (passed House April 2016): yes
Do you need a warrant to track someone through their phone?
2013: ACLU FOIA of 200 police departments: some say yes, some say no
2018: Carpenter v. United States, Supreme court says yes for 7 days or more
Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.
"In the first public accounting of its kind,
cellphone carriers reported that they
responded to a startling 1.3 million
demands for subscriber information last
year from law enforcement agencies
seeking text messages, caller locations
and other information in the course of
- Wireless Firms Are Flooded by
Requests to Aid Surveillance, New York Times,
July 8 2012
How to plan for a sensitive story
What do I want to keep private?
(Messages, locations, identities, networks...)
Who wants to know?
(story subject, governments, law enforcement, corporations...)
What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents!)
What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)
What Must Be Private?
• Which data?
o Emails and other communications
o Photos, footage, notes
o Your address book, travel itineraries, etc.
• Privacy vs. anonymity
o Encryption protects content of an email or IM
o Not the identity of sender and recipient
Who Wants to Know?
Most of the time, the NSA is not the problem
Your adversary could be the subject of a story, a government, another
news organization, etc.
What Can the Adversary Do?
o Hacking, intercepting communications, code-breaking
o Lawsuits, subpoenas, detention
o Phishing, “social engineering,” exploiting trust
o The one time you didn’t use a secure channel
o Person you shouldn’t have told
o Theft, installation of malware, network taps, violence
Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want to get
out of the country. Limited Internet access is available at a café.
Some of the images may identify people working with the rebels
who could be targeted by the government if their identity is
Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and talking
secretly to two whistleblowers who may give you documents.
If these sources are identified before the story comes out, at the
very least you will lose your sources.
Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You have
talked to sources including police officers and victims.
You would prefer that the police commissioner not know of your
story before it is published.
Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous
sources and journalists have been murdered.
Email is difficult to secure. Avoid it if you can.
Limited security if both ends of the conversation always use Gmail,
Hushmail, or ProtonMail. Still subject to subpeona.
I do not recommend PGP/GPG. Hard to get right, does not hide
metadata, no forward secrecy (old messages revealed if someone gets
your private key.)
Standard phone calls leave “metadata” at phone company. Who you
called, when, how long you talked, where you were.
Who can access this?
Definitely law enforcement.
How many copies?
The original file might be on your phone, camera SD card, etc.
What about backups and cloud syncing? Email attachments?
Use secure erase products – but there may still be traces (temporary
files, filenames in “recently used” lists, etc.)
Physical data security
Who could steal your laptop?
Keep drives, papers, etc. locked up.
If someone else can access your
computer, they can install spyware.
Anonymity is not the same as privacy
It is much harder.
There are many ways to accidentally reveal someone’s identity.
The key concept is “linkability” between different accounts and
Private but not anonymous
Encrypted message is like a sealed envelope.
Anyone can still read the address (metadata)
Communicating with sources
“So I meet employee X, and we have a cup of coffee even, and we want to
exchange contacts. And if I pull him aside and say, all right, from now on
you’ll call me “Popeye”, and here’s where you download TAILS and we’ll
set up secret, spooky accounts and encryption, it’s as if I was saying, here
let me have your phone number, and by the way can you show me any
recent STD tests, and which brand of condom do you like? It’s sort of who
are you, what are you talking about, I didn’t agree to anything like this.”
- Barton Gelman of the Washington Post, at the HOPE X conference
The only practical answer
Don’t give the source any way to communicate with you that is not
If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.
Otherwise: iMessage, WhatsApp, or Signal. But usually you add a
contact by entering a phone number, so how to prevent source from
just calling you?
Prevent the adversary from knowing who leaked – keep the source
Corporate networks are monitored. Personal devices are associated
with identifying information. Most secure method for transferring
sensitive files is still a face to face meeting.
Publishing is a problem too! File metadata has blown more than one
Word documents, PDFs, etc. all have hidden info in the
file, including author name, creation date.
Prepare to be searched. Encrypt your devices. But realize that you may
have to give up your password.
Prepare to have equipment seized. Have backups.
Best plan may be to send data home over the network.
US Border crossing guide
EFF’s “Digital Privacy at the US Border: Protecting Data on Your
Devices and in the Cloud”
How the leak was leaked
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.
Leigh downloaded the file in encrypted form from the temporary
Leigh decrypted the file and reported on the contents.
...but later, all the cables were available publicly, which is not what
either Assange or Leigh intended.
M Epassword UR
What Assange was thinking
M Epassword UR
What Leigh was thinking
M Epassword UR
What actually happened
M Epassword UR
Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices. Know
what social media reveals.
Use threat modeling to make a plan for your story. Know what you are protecting from
whom. Integrate digital with physical, legal, operational security.
Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure channel
from the start.
Source anonymity requires extensive planning, both online and offline.
Know exactly what data is sensitive, how many copies there are, and where.
Committee to Protect Journalists information security guide
Threat modeling in detail
Digital Security and Source Protection for Journalists