SlideShare a Scribd company logo
1 of 91
Frontiers of
Computational Journalism
Columbia Journalism School
Week 11: Privacy and Security
December 5, 2018
This class
• Digital Security Basics
• Mass Surveillance and Privacy
• Legal Landscape
• Threat Modeling
• Secure Reporting Recipes
• Case Study: Leaked Cables
Digital Security Basics
What everyone in the organization
needs to do
• Passwords and 2-step login
• Don’t fall for phishing
• Encrypt your devices
• Check your social media and cloud storage permissions
LinkedIn
from June 2012 breach
Gawker
from Dec 2010 breach
Two-Factor Authentication
Something you know, plus something you have
Good Password Practice
• Use two-factor authentication
• Don't use a common password. Avoid words in the dictionary.
• If you use the same password for multiple sites, your password is only as
strong as the security on the weakest site.
• Consider passphrases, and password management tools like OnePass
Phishing
By far the most common attack. Send a message to user tricking them into
entering their password.
Typically directs users to a fake login page.
Protection: beware links that take you to a login page! Always read the
URL after clicking a link from a message.
AP Twitter Hacked by Phishing
AP Phishing Email
The link didn’t really go to washingtonpost.com!
John Podesta “hacked” by phishing
Syrian Facebook
phishing
Arabic text reads: "Urgent and
critical.. video leaked by security
forces and thugs.. the revenge of
Assad's thugs against the free men
and women of Baba Amr in captivity
and taking turns raping one of the
women in captivity by Assad's dogs..
please spread this."
Chinese email spear-phishing
From FireEye blog post:
“In August 2015, the threat actors sent spear
phishing emails to a number of Hong Kong-
based media organizations, including
newspapers, radio, and television. The first
email references the creation of a Christian civil
society organization to coincide with the
anniversary of the 2014 protests in Hong Kong
known as the Umbrella Movement. The second
email references a Hong Kong University
alumni organization that fears votes in a
referendum to appoint a Vice-Chancellor will be
co-opted by pro-Beijing interests”
Read the URL Before You Click!
Defending Against Phishing
•Be suspicious of generic messages
•Read the URL before you click
•Always read the URL before typing in a password
•Report suspicious links to security
Laptop falls into Syrian govt.
hands, sources forced to flee
Encrypt your storage
Turn on disk encryption! It’s built in.
Use BitLocker (Windows), FileVault (Mac)
Encrypt your phone too!
Mass Surveillance and Privacy
Background yourself on social media!
Use someone else’s computer (or an Incognito window) and research
yourself. See if you can find your home address, date of birth, or child’s
school.
AP source busted through
phone logs
Tell-All Telephone (zeit.de)
From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
Open Network Initiative global filtering map -- opennet.net
SSL
Aka, HTTPS.
Depends on a system of root certificate authorities (CAs) that generate
certificates (cryptographically sign keys) for sites that use HTTPS.
Browsers have CA keys built in, so they can verify that a site has a valid
signed key.
Works great, except that certificate authorities can be hacked, and we
must expect that most states can easily sign a certificate through a proxy.
Real MITM attacks
Legal Landscape
Legal Security
In the U.S., the Privacy Protection Act prevents police from seizing
journalists’ data without a warrant... if you're the one storing it.
Third party doctrine: if it’s in the cloud, no protection!
Third party doctrine in privacy law
Smith v. Maryland, Supreme Court, 1979
Surveillance Law: the U.S. situation
Do you need a warrant to see who I called?
Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata."
Do you need a warrant to read my email (or IM, etc.)?
Electronic Communications Privacy Act (1986): Not if it's older than 180 days
U.S. v. Warshak, sixth circuit (2010): yes
Proposed Email Privacy Act (passed House April 2016): yes
Do you need a warrant to track someone through their phone?
2013: ACLU FOIA of 200 police departments: some say yes, some say no
2018: Carpenter v. United States, Supreme court says yes for 7 days or more
Do you need a warrant to look at the data on my phone after an arrest?
Yes. Supreme court said so in 2014, Riley vs. California.
"In the first public accounting of its kind,
cellphone carriers reported that they
responded to a startling 1.3 million
demands for subscriber information last
year from law enforcement agencies
seeking text messages, caller locations
and other information in the course of
investigations."
- Wireless Firms Are Flooded by
Requests to Aid Surveillance, New York Times,
July 8 2012
Google Transparency Report
Facebook,
Skype, WhatsApp,
etc. can be
monitored by
parent company.
And requested by
law enforcement.
Pictured: Facebook
requests, Q1-Q2 2015
Facebook Transparency Report
Threat Modeling
How to plan for a sensitive story
What do I want to keep private?
(Messages, locations, identities, networks...)
Who wants to know?
(story subject, governments, law enforcement, corporations...)
What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents!)
What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)
What Must Be Private?
• Which data?
o Emails and other communications
o Photos, footage, notes
o Your address book, travel itineraries, etc.
• Privacy vs. anonymity
o Encryption protects content of an email or IM
o Not the identity of sender and recipient
Who Wants to Know?
Most of the time, the NSA is not the problem
Your adversary could be the subject of a story, a government, another
news organization, etc.
What Can the Adversary Do?
• Technical
o Hacking, intercepting communications, code-breaking
• Legal
o Lawsuits, subpoenas, detention
• Social
o Phishing, “social engineering,” exploiting trust
• Operational
o The one time you didn’t use a secure channel
o Person you shouldn’t have told
• Physical
o Theft, installation of malware, network taps, violence
Legal threat: NYT reporter investigated
Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want to get
out of the country. Limited Internet access is available at a café.
Some of the images may identify people working with the rebels
who could be targeted by the government if their identity is
revealed.
Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and talking
secretly to two whistleblowers who may give you documents.
If these sources are identified before the story comes out, at the
very least you will lose your sources.
Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You have
talked to sources including police officers and victims.
You would prefer that the police commissioner not know of your
story before it is published.
Threat Modeling Scenario #4
You are reporting on drug cartels in Central America. Previous
sources and journalists have been murdered.
Secure Communication
Slack (etc.) lives forever – and killed Gawker
Text messages
Standard text messages are incredibly insecure.
Facebook, WhatsApp, WeChat, etc. are logged by the parent company
– and can be subpoenaed by law enforcement.
Use iMessage or Signal.
SMS is not encrypted! The phone
company logs them, and devices exist to
read all SMS text messages sent by
nearby phones.
iMessage is very secure,
but you must turn off “Send
as SMS”
Correctly sent messages
are blue.
WhatsApp recently implemented Signal
protocol on all platforms. But metadata
probably still available to Facebook, and
subpoenable.
Signal is the free, secure
messaging app.
Axlotl Ratchet protocol
provides forward
secrecy.
Android, iPhone,
Desktop.
Signal vs. Law Enforcement
Email
Email is difficult to secure. Avoid it if you can.
Limited security if both ends of the conversation always use Gmail,
Hushmail, or ProtonMail. Still subject to subpeona.
I do not recommend PGP/GPG. Hard to get right, does not hide
metadata, no forward secrecy (old messages revealed if someone gets
your private key.)
Phone calls
Standard phone calls leave “metadata” at phone company. Who you
called, when, how long you talked, where you were.
Who can access this?
Definitely law enforcement.
Sharing and Storing Data
How many copies?
The original file might be on your phone, camera SD card, etc.
What about backups and cloud syncing? Email attachments?
Use secure erase products – but there may still be traces (temporary
files, filenames in “recently used” lists, etc.)
Physical data security
Who could steal your laptop?
Keep drives, papers, etc. locked up.
If someone else can access your
computer, they can install spyware.
Anonymous Sources
Anonymous sources
Anonymity is not the same as privacy
It is much harder.
There are many ways to accidentally reveal someone’s identity.
The key concept is “linkability” between different accounts and
identifiers.
Private but not anonymous
Encrypted message is like a sealed envelope.
Anyone can still read the address (metadata)
Communicating with sources
“So I meet employee X, and we have a cup of coffee even, and we want to
exchange contacts. And if I pull him aside and say, all right, from now on
you’ll call me “Popeye”, and here’s where you download TAILS and we’ll
set up secret, spooky accounts and encryption, it’s as if I was saying, here
let me have your phone number, and by the way can you show me any
recent STD tests, and which brand of condom do you like? It’s sort of who
are you, what are you talking about, I didn’t agree to anything like this.”
- Barton Gelman of the Washington Post, at the HOPE X conference
The only practical answer
Don’t give the source any way to communicate with you that is not
secure.
If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.
Otherwise: iMessage, WhatsApp, or Signal. But usually you add a
contact by entering a phone number, so how to prevent source from
just calling you?
Anonymous Browsing
IP address reveals location
(and often organization)
From whatismyip.com
Torproject.org
Tor Browser Bundle
IP address in web server logs
reveals story in progress
- US vs Skelos S1 15. Cr. 317 (KMW)
Handling Leaks
Receiving Leaks
Prevent the adversary from knowing who leaked – keep the source
anonymous.
Corporate networks are monitored. Personal devices are associated
with identifying information. Most secure method for transferring
sensitive files is still a face to face meeting.
Publishing is a problem too! File metadata has blown more than one
source.
File metadata
Word documents, PDFs, etc. all have hidden info in the
file, including author name, creation date.
Most printers add microdots to every page
Crossing Borders
Crossing borders
Prepare to be searched. Encrypt your devices. But realize that you may
have to give up your password.
Prepare to have equipment seized. Have backups.
Best plan may be to send data home over the network.
US Border crossing guide
EFF’s “Digital Privacy at the US Border: Protecting Data on Your
Devices and in the Cloud”
https://www.eff.org/wp/digital-privacy-us-border-2017
Case Study: Leaked Cables
How the leak was leaked
Julian Assange gave a password and a temporary URL to
Guardian reporter David Leigh.
Leigh downloaded the file in encrypted form from the temporary
URL.
Leigh decrypted the file and reported on the contents.
...but later, all the cables were available publicly, which is not what
either Assange or Leigh intended.
The Plan
M Epassword UR
L
password
E
E M
Assange Leigh
What Assange was thinking
E ???
M Epassword UR
L
password
E
E M
Assange Leigh
What Leigh was thinking
???
M Epassword UR
L
password
E
E M
Assange Leigh
What actually happened
!!!
M Epassword UR
L
password
E
E M
Assange Leigh
passwordWL
Archi
ve
E
M
Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices. Know
what social media reveals.
Use threat modeling to make a plan for your story. Know what you are protecting from
whom. Integrate digital with physical, legal, operational security.
Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure channel
from the start.
Source anonymity requires extensive planning, both online and offline.
Know exactly what data is sensitive, how many copies there are, and where.
Some resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php
Threat modeling in detail
https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/
Digital Security and Source Protection for Journalists
http://susanemcgregor.com/digital-security/

More Related Content

What's hot

What's hot (20)

Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02Ia 124 1621324160 ia_124_lecture_02
Ia 124 1621324160 ia_124_lecture_02
 
Cybercrime and IT ACT
Cybercrime and IT ACTCybercrime and IT ACT
Cybercrime and IT ACT
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Module vi mis
Module vi misModule vi mis
Module vi mis
 
Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...
 
Cyber crime lecture pp update
Cyber crime lecture pp updateCyber crime lecture pp update
Cyber crime lecture pp update
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Internet safety 2010
Internet safety 2010Internet safety 2010
Internet safety 2010
 
Internet Safety Glossary of Terms
Internet Safety Glossary of TermsInternet Safety Glossary of Terms
Internet Safety Glossary of Terms
 
Digital citizenship 1
Digital citizenship 1Digital citizenship 1
Digital citizenship 1
 
SEO2India - Cyber crime
SEO2India - Cyber crimeSEO2India - Cyber crime
SEO2India - Cyber crime
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Smartphone apps
Smartphone appsSmartphone apps
Smartphone apps
 
Digital citizenship
Digital citizenshipDigital citizenship
Digital citizenship
 
Cyber crime ethics and un ethics
Cyber crime ethics and un ethicsCyber crime ethics and un ethics
Cyber crime ethics and un ethics
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
 
Data privacy over internet
Data privacy over internetData privacy over internet
Data privacy over internet
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Similar to Frontiers of Computational Journalism Privacy and Security

Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
 
Crimes in digital marketing..pptx
Crimes in digital marketing..pptxCrimes in digital marketing..pptx
Crimes in digital marketing..pptxRajviNikeetaRathore
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Copy of policing the internet_040555.pptx
Copy of policing the internet_040555.pptxCopy of policing the internet_040555.pptx
Copy of policing the internet_040555.pptxMdRuga
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
The Major Types of Cybercrime
The Major Types of CybercrimeThe Major Types of Cybercrime
The Major Types of CybercrimeRubi Orbeta
 
Isao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismIsao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismREVULN
 
The downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centuryThe downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centurygracestearns
 
The downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centuryThe downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centurygracestearns
 
Issues with computers
Issues with computersIssues with computers
Issues with computersayerssaa
 
2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptxSSPTRGCELL
 
Center for Identity Webcast: The Internet of Things
Center for Identity Webcast: The Internet of Things Center for Identity Webcast: The Internet of Things
Center for Identity Webcast: The Internet of Things The Center for Identity
 
The Self-Invasion Of Privacy
The Self-Invasion Of PrivacyThe Self-Invasion Of Privacy
The Self-Invasion Of PrivacyDiane Allen
 

Similar to Frontiers of Computational Journalism Privacy and Security (18)

Users guide
Users guideUsers guide
Users guide
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and Encryption
 
Crimes in digital marketing..pptx
Crimes in digital marketing..pptxCrimes in digital marketing..pptx
Crimes in digital marketing..pptx
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
Copy of policing the internet_040555.pptx
Copy of policing the internet_040555.pptxCopy of policing the internet_040555.pptx
Copy of policing the internet_040555.pptx
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and Libraries
 
The Major Types of Cybercrime
The Major Types of CybercrimeThe Major Types of Cybercrime
The Major Types of Cybercrime
 
Isao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalismIsao MATSUNAMI - Digital security in japanese journalism
Isao MATSUNAMI - Digital security in japanese journalism
 
The downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centuryThe downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_century
 
The downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_centuryThe downfall to_computers_in_the_21st_century
The downfall to_computers_in_the_21st_century
 
Issues with computers
Issues with computersIssues with computers
Issues with computers
 
2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Center for Identity Webcast: The Internet of Things
Center for Identity Webcast: The Internet of Things Center for Identity Webcast: The Internet of Things
Center for Identity Webcast: The Internet of Things
 
Internet Privacy
Internet PrivacyInternet Privacy
Internet Privacy
 
The Self-Invasion Of Privacy
The Self-Invasion Of PrivacyThe Self-Invasion Of Privacy
The Self-Invasion Of Privacy
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
 

More from Jonathan Stray

Frameworks for Algorithmic Bias
Frameworks for Algorithmic BiasFrameworks for Algorithmic Bias
Frameworks for Algorithmic BiasJonathan Stray
 
Analyzing Bias in Data - IRE 2019
Analyzing Bias in Data - IRE 2019Analyzing Bias in Data - IRE 2019
Analyzing Bias in Data - IRE 2019Jonathan Stray
 
Frontiers of Computational Journalism week 10 - Truth and Trust
Frontiers of Computational Journalism week 10 - Truth and TrustFrontiers of Computational Journalism week 10 - Truth and Trust
Frontiers of Computational Journalism week 10 - Truth and TrustJonathan Stray
 
Frontiers of Computational Journalism week 9 - Knowledge representation
Frontiers of Computational Journalism week 9 - Knowledge representationFrontiers of Computational Journalism week 9 - Knowledge representation
Frontiers of Computational Journalism week 9 - Knowledge representationJonathan Stray
 
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...Frontiers of Computational Journalism week 8 - Visualization and Network Anal...
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...Jonathan Stray
 
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...Jonathan Stray
 
Frontiers of Computational Journalism week 6 - Quantitative Fairness
Frontiers of Computational Journalism week 6 - Quantitative FairnessFrontiers of Computational Journalism week 6 - Quantitative Fairness
Frontiers of Computational Journalism week 6 - Quantitative FairnessJonathan Stray
 
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...Jonathan Stray
 
Frontiers of Computational Journalism - Final project suggestions
Frontiers of Computational Journalism - Final project suggestionsFrontiers of Computational Journalism - Final project suggestions
Frontiers of Computational Journalism - Final project suggestionsJonathan Stray
 
Frontiers of Computational Journalism week 4 - Statistical Inference
Frontiers of Computational Journalism week 4 - Statistical InferenceFrontiers of Computational Journalism week 4 - Statistical Inference
Frontiers of Computational Journalism week 4 - Statistical InferenceJonathan Stray
 
Frontiers of Computational Journalism week 3 - Information Filter Design
Frontiers of Computational Journalism week 3 - Information Filter DesignFrontiers of Computational Journalism week 3 - Information Filter Design
Frontiers of Computational Journalism week 3 - Information Filter DesignJonathan Stray
 
Frontiers of Computational Journalism week 2 - Text Analysis
Frontiers of Computational Journalism week 2 - Text AnalysisFrontiers of Computational Journalism week 2 - Text Analysis
Frontiers of Computational Journalism week 2 - Text AnalysisJonathan Stray
 
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...Jonathan Stray
 

More from Jonathan Stray (13)

Frameworks for Algorithmic Bias
Frameworks for Algorithmic BiasFrameworks for Algorithmic Bias
Frameworks for Algorithmic Bias
 
Analyzing Bias in Data - IRE 2019
Analyzing Bias in Data - IRE 2019Analyzing Bias in Data - IRE 2019
Analyzing Bias in Data - IRE 2019
 
Frontiers of Computational Journalism week 10 - Truth and Trust
Frontiers of Computational Journalism week 10 - Truth and TrustFrontiers of Computational Journalism week 10 - Truth and Trust
Frontiers of Computational Journalism week 10 - Truth and Trust
 
Frontiers of Computational Journalism week 9 - Knowledge representation
Frontiers of Computational Journalism week 9 - Knowledge representationFrontiers of Computational Journalism week 9 - Knowledge representation
Frontiers of Computational Journalism week 9 - Knowledge representation
 
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...Frontiers of Computational Journalism week 8 - Visualization and Network Anal...
Frontiers of Computational Journalism week 8 - Visualization and Network Anal...
 
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...
Frontiers of Computational Journalism week 7 - Randomness and Statistical Sig...
 
Frontiers of Computational Journalism week 6 - Quantitative Fairness
Frontiers of Computational Journalism week 6 - Quantitative FairnessFrontiers of Computational Journalism week 6 - Quantitative Fairness
Frontiers of Computational Journalism week 6 - Quantitative Fairness
 
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...
Frontiers of Computational Journalism week 5 - Algorithmic Accountability and...
 
Frontiers of Computational Journalism - Final project suggestions
Frontiers of Computational Journalism - Final project suggestionsFrontiers of Computational Journalism - Final project suggestions
Frontiers of Computational Journalism - Final project suggestions
 
Frontiers of Computational Journalism week 4 - Statistical Inference
Frontiers of Computational Journalism week 4 - Statistical InferenceFrontiers of Computational Journalism week 4 - Statistical Inference
Frontiers of Computational Journalism week 4 - Statistical Inference
 
Frontiers of Computational Journalism week 3 - Information Filter Design
Frontiers of Computational Journalism week 3 - Information Filter DesignFrontiers of Computational Journalism week 3 - Information Filter Design
Frontiers of Computational Journalism week 3 - Information Filter Design
 
Frontiers of Computational Journalism week 2 - Text Analysis
Frontiers of Computational Journalism week 2 - Text AnalysisFrontiers of Computational Journalism week 2 - Text Analysis
Frontiers of Computational Journalism week 2 - Text Analysis
 
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...
Frontiers of Computational Journalism week 1 - Introduction and High Dimensio...
 

Recently uploaded

4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 

Recently uploaded (20)

INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 

Frontiers of Computational Journalism Privacy and Security

  • 1. Frontiers of Computational Journalism Columbia Journalism School Week 11: Privacy and Security December 5, 2018
  • 2. This class • Digital Security Basics • Mass Surveillance and Privacy • Legal Landscape • Threat Modeling • Secure Reporting Recipes • Case Study: Leaked Cables
  • 4. What everyone in the organization needs to do • Passwords and 2-step login • Don’t fall for phishing • Encrypt your devices • Check your social media and cloud storage permissions
  • 5. LinkedIn from June 2012 breach Gawker from Dec 2010 breach
  • 6.
  • 7. Two-Factor Authentication Something you know, plus something you have
  • 8. Good Password Practice • Use two-factor authentication • Don't use a common password. Avoid words in the dictionary. • If you use the same password for multiple sites, your password is only as strong as the security on the weakest site. • Consider passphrases, and password management tools like OnePass
  • 9. Phishing By far the most common attack. Send a message to user tricking them into entering their password. Typically directs users to a fake login page. Protection: beware links that take you to a login page! Always read the URL after clicking a link from a message.
  • 10. AP Twitter Hacked by Phishing
  • 11. AP Phishing Email The link didn’t really go to washingtonpost.com!
  • 13.
  • 14. Syrian Facebook phishing Arabic text reads: "Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this."
  • 15. Chinese email spear-phishing From FireEye blog post: “In August 2015, the threat actors sent spear phishing emails to a number of Hong Kong- based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests”
  • 16. Read the URL Before You Click!
  • 17. Defending Against Phishing •Be suspicious of generic messages •Read the URL before you click •Always read the URL before typing in a password •Report suspicious links to security
  • 18. Laptop falls into Syrian govt. hands, sources forced to flee
  • 19. Encrypt your storage Turn on disk encryption! It’s built in. Use BitLocker (Windows), FileVault (Mac) Encrypt your phone too!
  • 21. Background yourself on social media! Use someone else’s computer (or an Incognito window) and research yourself. See if you can find your home address, date of birth, or child’s school.
  • 22. AP source busted through phone logs
  • 24. From Protecting Consumer Privacy in an Era of Rapid Change, FTC, 2010
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. Open Network Initiative global filtering map -- opennet.net
  • 30. SSL Aka, HTTPS. Depends on a system of root certificate authorities (CAs) that generate certificates (cryptographically sign keys) for sites that use HTTPS. Browsers have CA keys built in, so they can verify that a site has a valid signed key. Works great, except that certificate authorities can be hacked, and we must expect that most states can easily sign a certificate through a proxy.
  • 33. Legal Security In the U.S., the Privacy Protection Act prevents police from seizing journalists’ data without a warrant... if you're the one storing it. Third party doctrine: if it’s in the cloud, no protection!
  • 34. Third party doctrine in privacy law Smith v. Maryland, Supreme Court, 1979
  • 35. Surveillance Law: the U.S. situation Do you need a warrant to see who I called? Nope. Supreme court, Smith vs. Maryland, 1979 controls "metadata." Do you need a warrant to read my email (or IM, etc.)? Electronic Communications Privacy Act (1986): Not if it's older than 180 days U.S. v. Warshak, sixth circuit (2010): yes Proposed Email Privacy Act (passed House April 2016): yes Do you need a warrant to track someone through their phone? 2013: ACLU FOIA of 200 police departments: some say yes, some say no 2018: Carpenter v. United States, Supreme court says yes for 7 days or more Do you need a warrant to look at the data on my phone after an arrest? Yes. Supreme court said so in 2014, Riley vs. California.
  • 36. "In the first public accounting of its kind, cellphone carriers reported that they responded to a startling 1.3 million demands for subscriber information last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations." - Wireless Firms Are Flooded by Requests to Aid Surveillance, New York Times, July 8 2012
  • 38. Facebook, Skype, WhatsApp, etc. can be monitored by parent company. And requested by law enforcement. Pictured: Facebook requests, Q1-Q2 2015 Facebook Transparency Report
  • 40. How to plan for a sensitive story What do I want to keep private? (Messages, locations, identities, networks...) Who wants to know? (story subject, governments, law enforcement, corporations...) What can they do? (eavesdrop, subpoena... or exploit security lapses and accidents!) What happens if they succeed? (story's blown, legal problems for a source, someone gets killed...)
  • 41. What Must Be Private? • Which data? o Emails and other communications o Photos, footage, notes o Your address book, travel itineraries, etc. • Privacy vs. anonymity o Encryption protects content of an email or IM o Not the identity of sender and recipient
  • 42. Who Wants to Know? Most of the time, the NSA is not the problem Your adversary could be the subject of a story, a government, another news organization, etc.
  • 43. What Can the Adversary Do? • Technical o Hacking, intercepting communications, code-breaking • Legal o Lawsuits, subpoenas, detention • Social o Phishing, “social engineering,” exploiting trust • Operational o The one time you didn’t use a secure channel o Person you shouldn’t have told • Physical o Theft, installation of malware, network taps, violence
  • 44. Legal threat: NYT reporter investigated
  • 45. Threat Modeling Scenario #1 You are a photojournalist in Syria with digital images you want to get out of the country. Limited Internet access is available at a café. Some of the images may identify people working with the rebels who could be targeted by the government if their identity is revealed.
  • 46. Threat Modeling Scenario #2 You are reporting on insider trading at a large bank and talking secretly to two whistleblowers who may give you documents. If these sources are identified before the story comes out, at the very least you will lose your sources.
  • 47. Threat Modeling Scenario #3 You are reporting a story about local police misconduct. You have talked to sources including police officers and victims. You would prefer that the police commissioner not know of your story before it is published.
  • 48. Threat Modeling Scenario #4 You are reporting on drug cartels in Central America. Previous sources and journalists have been murdered.
  • 50. Slack (etc.) lives forever – and killed Gawker
  • 51. Text messages Standard text messages are incredibly insecure. Facebook, WhatsApp, WeChat, etc. are logged by the parent company – and can be subpoenaed by law enforcement. Use iMessage or Signal.
  • 52. SMS is not encrypted! The phone company logs them, and devices exist to read all SMS text messages sent by nearby phones.
  • 53. iMessage is very secure, but you must turn off “Send as SMS” Correctly sent messages are blue.
  • 54. WhatsApp recently implemented Signal protocol on all platforms. But metadata probably still available to Facebook, and subpoenable.
  • 55. Signal is the free, secure messaging app. Axlotl Ratchet protocol provides forward secrecy. Android, iPhone, Desktop.
  • 56. Signal vs. Law Enforcement
  • 57. Email Email is difficult to secure. Avoid it if you can. Limited security if both ends of the conversation always use Gmail, Hushmail, or ProtonMail. Still subject to subpeona. I do not recommend PGP/GPG. Hard to get right, does not hide metadata, no forward secrecy (old messages revealed if someone gets your private key.)
  • 58.
  • 59.
  • 60. Phone calls Standard phone calls leave “metadata” at phone company. Who you called, when, how long you talked, where you were. Who can access this? Definitely law enforcement.
  • 62. How many copies? The original file might be on your phone, camera SD card, etc. What about backups and cloud syncing? Email attachments? Use secure erase products – but there may still be traces (temporary files, filenames in “recently used” lists, etc.)
  • 63. Physical data security Who could steal your laptop? Keep drives, papers, etc. locked up. If someone else can access your computer, they can install spyware.
  • 65. Anonymous sources Anonymity is not the same as privacy It is much harder. There are many ways to accidentally reveal someone’s identity. The key concept is “linkability” between different accounts and identifiers.
  • 66. Private but not anonymous Encrypted message is like a sealed envelope. Anyone can still read the address (metadata)
  • 67. Communicating with sources “So I meet employee X, and we have a cup of coffee even, and we want to exchange contacts. And if I pull him aside and say, all right, from now on you’ll call me “Popeye”, and here’s where you download TAILS and we’ll set up secret, spooky accounts and encryption, it’s as if I was saying, here let me have your phone number, and by the way can you show me any recent STD tests, and which brand of condom do you like? It’s sort of who are you, what are you talking about, I didn’t agree to anything like this.” - Barton Gelman of the Washington Post, at the HOPE X conference
  • 68. The only practical answer Don’t give the source any way to communicate with you that is not secure. If they have a gmail address, and you have a gmail address, and Google is unlikely to cooperate with your adversary, use gmail. Otherwise: iMessage, WhatsApp, or Signal. But usually you add a contact by entering a phone number, so how to prevent source from just calling you?
  • 70. IP address reveals location (and often organization) From whatismyip.com
  • 73. IP address in web server logs reveals story in progress - US vs Skelos S1 15. Cr. 317 (KMW)
  • 75. Receiving Leaks Prevent the adversary from knowing who leaked – keep the source anonymous. Corporate networks are monitored. Personal devices are associated with identifying information. Most secure method for transferring sensitive files is still a face to face meeting. Publishing is a problem too! File metadata has blown more than one source.
  • 76.
  • 77.
  • 78. File metadata Word documents, PDFs, etc. all have hidden info in the file, including author name, creation date.
  • 79. Most printers add microdots to every page
  • 81. Crossing borders Prepare to be searched. Encrypt your devices. But realize that you may have to give up your password. Prepare to have equipment seized. Have backups. Best plan may be to send data home over the network.
  • 82.
  • 83. US Border crossing guide EFF’s “Digital Privacy at the US Border: Protecting Data on Your Devices and in the Cloud” https://www.eff.org/wp/digital-privacy-us-border-2017
  • 85. How the leak was leaked Julian Assange gave a password and a temporary URL to Guardian reporter David Leigh. Leigh downloaded the file in encrypted form from the temporary URL. Leigh decrypted the file and reported on the contents. ...but later, all the cables were available publicly, which is not what either Assange or Leigh intended.
  • 86. The Plan M Epassword UR L password E E M Assange Leigh
  • 87. What Assange was thinking E ??? M Epassword UR L password E E M Assange Leigh
  • 88. What Leigh was thinking ??? M Epassword UR L password E E M Assange Leigh
  • 89. What actually happened !!! M Epassword UR L password E E M Assange Leigh passwordWL Archi ve E M
  • 90. Digital security for journalists in one slide Use real passwords + 2 step login. Recognize phishing. Encrypt your devices. Know what social media reveals. Use threat modeling to make a plan for your story. Know what you are protecting from whom. Integrate digital with physical, legal, operational security. Avoid email. Use iMessage, WhatsApp, or Signal. Give sources a secure channel from the start. Source anonymity requires extensive planning, both online and offline. Know exactly what data is sensitive, how many copies there are, and where.
  • 91. Some resources Committee to Protect Journalists information security guide http://www.cpj.org/reports/2012/04/information-security.php Threat modeling in detail https://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/ Digital Security and Source Protection for Journalists http://susanemcgregor.com/digital-security/