Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Frontiers of Computational Journalism week 11 - Privacy and Security


Published on

Taught at Columbia Journalism School, Fall 2018
Full syllabus and lecture videos at

Published in: Education
  • Login to see the comments

  • Be the first to like this

Frontiers of Computational Journalism week 11 - Privacy and Security

  1. 1. Frontiers of Computational Journalism Columbia Journalism School Week 11: Privacy and Security December 5, 2018
  2. 2. This class • Digital Security Basics • Mass Surveillance and Privacy • Legal Landscape • Threat Modeling • Secure Reporting Recipes • Case Study: Leaked Cables
  3. 3. Digital Security Basics
  4. 4. What everyone in the organization needs to do • Passwords and 2-step login • Don’t fall for phishing • Encrypt your devices • Check your social media and cloud storage permissions
  5. 5. LinkedIn from June 2012 breach Gawker from Dec 2010 breach
  6. 6. Two-Factor Authentication Something you know, plus something you have
  7. 7. Good Password Practice • Use two-factor authentication • Don't use a common password. Avoid words in the dictionary. • If you use the same password for multiple sites, your password is only as strong as the security on the weakest site. • Consider passphrases, and password management tools like OnePass
  8. 8. Phishing By far the most common attack. Send a message to user tricking them into entering their password. Typically directs users to a fake login page. Protection: beware links that take you to a login page! Always read the URL after clicking a link from a message.
  9. 9. AP Twitter Hacked by Phishing
  10. 10. AP Phishing Email The link didn’t really go to!
  11. 11. John Podesta “hacked” by phishing
  12. 12. Syrian Facebook phishing Arabic text reads: "Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this."
  13. 13. Chinese email spear-phishing From FireEye blog post: “In August 2015, the threat actors sent spear phishing emails to a number of Hong Kong- based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests”
  14. 14. Read the URL Before You Click!
  15. 15. Defending Against Phishing •Be suspicious of generic messages •Read the URL before you click •Always read the URL before typing in a password •Report suspicious links to security
  16. 16. Laptop falls into Syrian govt. hands, sources forced to flee
  17. 17. Encrypt your storage Turn on disk encryption! It’s built in. Use BitLocker (Windows), FileVault (Mac) Encrypt your phone too!
  18. 18. Mass Surveillance and Privacy
  19. 19. Background yourself on social media! Use someone else’s computer (or an Incognito window) and research yourself. See if you can find your home address, date of birth, or child’s school.
  20. 20. AP source busted through phone logs
  21. 21. Tell-All Telephone (
  22. 22. From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
  23. 23. Open Network Initiative global filtering map --
  24. 24. SSL Aka, HTTPS. Depends on a system of root certificate authorities (CAs) that generate certificates (cryptographically sign keys) for sites that use HTTPS. Browsers have CA keys built in, so they can verify that a site has a valid signed key. Works great, except that certificate authorities can be hacked, and we must expect that most states can easily sign a certificate through a proxy.
  25. 25. Real MITM attacks
  26. 26. Legal Landscape
  27. 27. Legal Security In the U.S., the Privacy Protection Act prevents police from seizing journalists’ data without a warrant... if you're the one storing it. Third party doctrine: if it’s in the cloud, no protection!
  28. 28. Third party doctrine in privacy law Smith v. Maryland, Supreme Court, 1979
  29. 29. Surveillance Law: the U.S. situation Do you need a warrant to see who I called? Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata." Do you need a warrant to read my email (or IM, etc.)? Electronic Communications Privacy Act (1986): Not if it's older than 180 days U.S. v. Warshak, sixth circuit (2010): yes Proposed Email Privacy Act (passed House April 2016): yes Do you need a warrant to track someone through their phone? 2013: ACLU FOIA of 200 police departments: some say yes, some say no 2018: Carpenter v. United States, Supreme court says yes for 7 days or more Do you need a warrant to look at the data on my phone after an arrest? Yes. Supreme court said so in 2014, Riley vs. California.
  30. 30. "In the first public accounting of its kind, cellphone carriers reported that they responded to a startling 1.3 million demands for subscriber information last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations." - Wireless Firms Are Flooded by Requests to Aid Surveillance, New York Times, July 8 2012
  31. 31. Google Transparency Report
  32. 32. Facebook, Skype, WhatsApp, etc. can be monitored by parent company. And requested by law enforcement. Pictured: Facebook requests, Q1-Q2 2015 Facebook Transparency Report
  33. 33. Threat Modeling
  34. 34. How to plan for a sensitive story What do I want to keep private? (Messages, locations, identities, networks...) Who wants to know? (story subject, governments, law enforcement, corporations...) What can they do? (eavesdrop, subpoena... or exploit security lapses and accidents!) What happens if they succeed? (story's blown, legal problems for a source, someone gets killed...)
  35. 35. What Must Be Private? • Which data? o Emails and other communications o Photos, footage, notes o Your address book, travel itineraries, etc. • Privacy vs. anonymity o Encryption protects content of an email or IM o Not the identity of sender and recipient
  36. 36. Who Wants to Know? Most of the time, the NSA is not the problem Your adversary could be the subject of a story, a government, another news organization, etc.
  37. 37. What Can the Adversary Do? • Technical o Hacking, intercepting communications, code-breaking • Legal o Lawsuits, subpoenas, detention • Social o Phishing, “social engineering,” exploiting trust • Operational o The one time you didn’t use a secure channel o Person you shouldn’t have told • Physical o Theft, installation of malware, network taps, violence
  38. 38. Legal threat: NYT reporter investigated
  39. 39. Threat Modeling Scenario #1 You are a photojournalist in Syria with digital images you want to get out of the country. Limited Internet access is available at a café. Some of the images may identify people working with the rebels who could be targeted by the government if their identity is revealed.
  40. 40. Threat Modeling Scenario #2 You are reporting on insider trading at a large bank and talking secretly to two whistleblowers who may give you documents. If these sources are identified before the story comes out, at the very least you will lose your sources.
  41. 41. Threat Modeling Scenario #3 You are reporting a story about local police misconduct. You have talked to sources including police officers and victims. You would prefer that the police commissioner not know of your story before it is published.
  42. 42. Threat Modeling Scenario #4 You are reporting on drug cartels in Central America. Previous sources and journalists have been murdered.
  43. 43. Secure Communication
  44. 44. Slack (etc.) lives forever – and killed Gawker
  45. 45. Text messages Standard text messages are incredibly insecure. Facebook, WhatsApp, WeChat, etc. are logged by the parent company – and can be subpoenaed by law enforcement. Use iMessage or Signal.
  46. 46. SMS is not encrypted! The phone company logs them, and devices exist to read all SMS text messages sent by nearby phones.
  47. 47. iMessage is very secure, but you must turn off “Send as SMS” Correctly sent messages are blue.
  48. 48. WhatsApp recently implemented Signal protocol on all platforms. But metadata probably still available to Facebook, and subpoenable.
  49. 49. Signal is the free, secure messaging app. Axlotl Ratchet protocol provides forward secrecy. Android, iPhone, Desktop.
  50. 50. Signal vs. Law Enforcement
  51. 51. Email Email is difficult to secure. Avoid it if you can. Limited security if both ends of the conversation always use Gmail, Hushmail, or ProtonMail. Still subject to subpeona. I do not recommend PGP/GPG. Hard to get right, does not hide metadata, no forward secrecy (old messages revealed if someone gets your private key.)
  52. 52. Phone calls Standard phone calls leave “metadata” at phone company. Who you called, when, how long you talked, where you were. Who can access this? Definitely law enforcement.
  53. 53. Sharing and Storing Data
  54. 54. How many copies? The original file might be on your phone, camera SD card, etc. What about backups and cloud syncing? Email attachments? Use secure erase products – but there may still be traces (temporary files, filenames in “recently used” lists, etc.)
  55. 55. Physical data security Who could steal your laptop? Keep drives, papers, etc. locked up. If someone else can access your computer, they can install spyware.
  56. 56. Anonymous Sources
  57. 57. Anonymous sources Anonymity is not the same as privacy It is much harder. There are many ways to accidentally reveal someone’s identity. The key concept is “linkability” between different accounts and identifiers.
  58. 58. Private but not anonymous Encrypted message is like a sealed envelope. Anyone can still read the address (metadata)
  59. 59. Communicating with sources “So I meet employee X, and we have a cup of coffee even, and we want to exchange contacts. And if I pull him aside and say, all right, from now on you’ll call me “Popeye”, and here’s where you download TAILS and we’ll set up secret, spooky accounts and encryption, it’s as if I was saying, here let me have your phone number, and by the way can you show me any recent STD tests, and which brand of condom do you like? It’s sort of who are you, what are you talking about, I didn’t agree to anything like this.” - Barton Gelman of the Washington Post, at the HOPE X conference
  60. 60. The only practical answer Don’t give the source any way to communicate with you that is not secure. If they have a gmail address, and you have a gmail address, and Google is unlikely to cooperate with your adversary, use gmail. Otherwise: iMessage, WhatsApp, or Signal. But usually you add a contact by entering a phone number, so how to prevent source from just calling you?
  61. 61. Anonymous Browsing
  62. 62. IP address reveals location (and often organization) From
  63. 63.
  64. 64. Tor Browser Bundle
  65. 65. IP address in web server logs reveals story in progress - US vs Skelos S1 15. Cr. 317 (KMW)
  66. 66. Handling Leaks
  67. 67. Receiving Leaks Prevent the adversary from knowing who leaked – keep the source anonymous. Corporate networks are monitored. Personal devices are associated with identifying information. Most secure method for transferring sensitive files is still a face to face meeting. Publishing is a problem too! File metadata has blown more than one source.
  68. 68. File metadata Word documents, PDFs, etc. all have hidden info in the file, including author name, creation date.
  69. 69. Most printers add microdots to every page
  70. 70. Crossing Borders
  71. 71. Crossing borders Prepare to be searched. Encrypt your devices. But realize that you may have to give up your password. Prepare to have equipment seized. Have backups. Best plan may be to send data home over the network.
  72. 72. US Border crossing guide EFF’s “Digital Privacy at the US Border: Protecting Data on Your Devices and in the Cloud”
  73. 73. Case Study: Leaked Cables
  74. 74. How the leak was leaked Julian Assange gave a password and a temporary URL to Guardian reporter David Leigh. Leigh downloaded the file in encrypted form from the temporary URL. Leigh decrypted the file and reported on the contents. ...but later, all the cables were available publicly, which is not what either Assange or Leigh intended.
  75. 75. The Plan M Epassword UR L password E E M Assange Leigh
  76. 76. What Assange was thinking E ??? M Epassword UR L password E E M Assange Leigh
  77. 77. What Leigh was thinking ??? M Epassword UR L password E E M Assange Leigh
  78. 78. What actually happened !!! M Epassword UR L password E E M Assange Leigh passwordWL Archi ve E M
  79. 79. Digital security for journalists in one slide Use real passwords + 2 step login. Recognize phishing. Encrypt your devices. Know what social media reveals. Use threat modeling to make a plan for your story. Know what you are protecting from whom. Integrate digital with physical, legal, operational security. Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure channel from the start. Source anonymity requires extensive planning, both online and offline. Know exactly what data is sensitive, how many copies there are, and where.
  80. 80. Some resources Committee to Protect Journalists information security guide Threat modeling in detail Digital Security and Source Protection for Journalists