Why every journalist should have a threat model (with cats)

10 Replies

Just because you're paranoid doesn't mean they aren't after you

If you’re a journalist in the 21st century you have two choices: you can choose to be paranoid, or you can choose to be delusional.

The paranoid journalist assumes that someone is out to get them. The delusional journalist assumes that no one is.

In this post I will explain why and how every journalist – whether you’re a music reporter or a political correspondent – can take a serious and informed look at their security and arrive at a reasonable evaluation of risks and safeguards.

Don’t panic. I promise that by the end of this piece you will be less anxious about security, and no longer paranoid. I also promise to use lots of lolcats.

Are you paranoid?

There are two reasons why security is now the concern of all journalists and not just those reporting on national security:

  1. Firstly, that you are now not just a journalist but a publisher; and
  2. Secondly, that almost all your correspondence and activity is recorded.

Your reality: I will not face it

The mental health charity Mind describes fears as paranoid “when they are exaggerated and there is no evidence that they are true.”

So the key to avoiding slipping into paranoia – or delusion – is to ensure that you have a realistic understanding of the risks involved in your role.

These will vary depending on the stories you report – but there will always be risks, because that is the nature of online publishing.

Evaluating the risks in your role: the threat model

paranoia - squirrel holding cameraA very useful model for evaluating the security risks in your work is the threat model. This involves answering four simple questions:

  1. What information do you not want other people to know? (This can be anything from passwords to contacts’ details, data and documents)
  2. Why might someone want that information? Who?
  3. What can they do to get it?
  4. What might happen if they do?

I’ll tackle those one by one – it will help you to answer them for your own work.

Q1: What information do you want to keep to yourself?

Surveillance camera with big cat image behindWe all have information that we want to keep to ourselves. The most obvious – so obvious it can be easy to overlook – are passwords.

We now have dozens of these, for email, social media accounts, content management systems, cloud storage systems, and a raft of online tools past and present.

Then there are our contacts. Some of these may be named in our reporting, but not always. Certainly we don’t intentionally publish their contact details or their location. But if we’re not careful, we might.

There is our correspondence with contacts too. This might include all sorts of information which we wouldn’t want others to know about.

And most obviously there is the information behind our stories, both past and future. This might be work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality).

Asking if you are under surveillance is the wrong question. Instead, ask whether what you say and do is being recorded. If you use computers in any way (including your phone and even photocopiers), the answer is yes.

Q2: Why might someone want that information? Who?

LOLCAT: He's watching me isn't he? / He knows I'm watching him

This is the question that most people fail to ask – and the main reason why most journalists don’t take security seriously.

Although the Snowden revelations did an enormous amount to raise awareness of state surveillance they also created the misleading impression that governments and their intelligence arms are the main security threat for journalists.

Intelligence agencies are not the main security threat for most journalists.

A second mistake is to think “I’m not that interesting”. But the journalist’s activity is not the main target in many security breaches.

So why might someone want your information? Simple. Your audience.

Tried stalking you on Facebook - Ur boring

A great example of this is the activity of the Syrian Electronic Army. They targeted entertainment journalists at E! News

The Syrian Electronic Army targeted E! News in order to spread its message

…and BBC Weather:

The Syrian Electronic Army hacked the BBC Weather Twitter account

They also successfully targeted journalists at Forbes, according to E Hacking News, because the publication had posted articles critical of the group. This is key: just because you don’t have enemies doesn’t mean your organisation or colleagues don’t.

In this respect, sometimes your passwords may be a means to attack others in that organisation, and access information you don’t directly hold. The Syrian Electronic Army, for example, also published login credentials for a million Forbes users. Do you want to be an Alex Knapp?

Of course, sometimes it isn’t just your password and your audience that they want. You may have information that the local police wants to access, or a local politician, or a celebrity, or a commercial organisation. Or indeed competing journalists and news organisations.

So, for your threat model, list the individuals and organisations who might want to access your audiences, passwords, or information – or those of your colleagues. Then move onto the next step of whether they can do so or not…

Q3: What can they do to get it?

security according to xkcd

Again, this is a question where high profile cases can lead to some misguided assumptions. ‘Hacking’ is not the most likely means that someone will use to access your information.

More likely is social engineering (particularly phishing) or legal processes. And if you’re operating in a particularly dangerous environment, it might even be ‘Rubber-hose cryptanalysis‘ (see image above).

Social engineering

Social engineering includes a range of techniques from merely looking over your shoulder (shoulder surfing), to pretending that someone is from tech support or some other role needing access to your computer (role playing), and the use of email attachments (trojan horses).

Social-engineering techniques

Social engineering techniques – image from ITsecurity.be

ITsecurity.be provides a useful detailed breakdown of these techniques (and the image above) and the defences against them.

Don’t worry about all of these all of the time. The threat model is intended to help you realistically assess which ones might be most relevant to you, your information, and those who might target it.

For example, if you access the internet often in public places such as coffee shops you may want to consider shoulder surfing a risk. But if you don’t, then you won’t.

shoulder surfing comic

Image from Rage Comics

Many security breaches in journalism can be traced back to phishing attacks. Reporters at The Associated Press, for example, were targeted by a phishing email with a link which installed malicious software. The Onion were targeted in a similar way:

Onion phishing email

Notably, phishing emails can come from a colleague whose account has been compromised.

No one is immune from this: I once received such an email from a very senior and experienced investigative reporter. I immediately contacted them through a separate channel to check if they had sent the email — and to warn their colleagues if they hadn’t.

At this point remember that this is still just a threat model – addressing that model is a separate process. But as a rule of thumb always be cautious of links in emails and never log in to an account via such a link. If the destination page requests authentication (e.g. Google, Facebook, Twitter, Dropbox) then this may be a way of gathering your login details. If you are already logged into those services it should not be asking.

Try the phishing IQ test to see how alert you are even when you know you are being tested. Note that phishing attacks on journalists (rather than those intended to gather bank details) may be much more specific.

Legal attacks: direct and indirect

Beyond phishing and other social engineering techniques, an adversary might simply use legal avenues to get hold of your information.

That might include direct approaches such as subpoenas demanding that you reveal a source or court orders to pass over footage, but increasingly it might also include indirect approaches, to companies holding your information.

For example, asking phone companies for details of your phonecalls, texts or location; asking email providers for details of login locations or even the content of messages; or asking cloud storage service providers for access to your documents.

This will depend on the laws in your country and the agencies allowed to use them. But remember that it’s not just law enforcement and intelligence agencies: in the UK, for example, over 470 local authorities have access to communications data under RIPA laws and can authorise surveillance.

Don’t overlook the possibility of other countries’ laws being used as well – particularly if you are travelling (a laptop or phone may be seized at the airport) but also if your information is accessible in another country.

Q4: What might happen if they do?

Having mapped out the means and the motives of potential adversaries, the final step is to list what might happen if they succeed. These include:

  • Publication of hoax information on content management systems (the news website) and social media accounts
  • Phishing emails sent from your email or social media account to a colleague or friend
  • Accessing commercially sensitive information held by your organisation (e.g. customer details)
  • Accessing editorially sensitive information held by you (e.g. correspondence with sources)
  • Identification of sources through other data, e.g. your location, phone or email records
  • Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault.
  • Loss of reputation and trust for you as a reporter

This final step in the threat model helps you assess both the importance of the treat and the likelihood of it coming to pass. For example, it may be incredibly unlikely that your source will face physical danger, or that a particular adversary will want to smear your Twitter account with lies. But other dangers may be more realistic – and worth preparing for.

Of course at the end of all this you may choose to ignore the threats and carry on as you always have.

Homer Simpson: Just because I don't care doesn't mean I don't understand

But if you do care, it’s time to address the specific demands of the threat you’ve identified in your model. For that I’ll need a separate post.

The key thing, however, is to identify the threat model so you’re not wasting time on security measures that aren’t relevant – or ignoring ones that are. Here are some example threat models for various journalism roles to get you started on creating your own. If you have any others, I’d love to hear about them.

UPDATE (July 4 2016): The website Privacy for Journalists has a useful framework for threat modelling here, including defence strategies.

Three examples of different threat models

What info do you want to keep? Passwords. Why might someone want it? To spam. What can they do? Guess password, phishing. What might happen? Damage to brand, trust.

A basic threat model for anyone with access to a key social media account – or colleagues who do.

What info do you want to keep? Communication with sources. Why might someone want it? To prevent publicaiton, smear. What can they do? Guess/hack password, phishing, legal avenues. What might happen? Story killed, credibility, trust.

This is an example of a threat model for anyone who deals with protestors, complainants, or others who might be targets of others

What info do you want to keep? Identity/location of sources. Why might someone want it? To intimidate, attack, smear. What can they do? Guess/hack password, phishing, metadata, mobile trail, more. What might happen? Source attacked, imprisoned, trust.

When dealing with whistleblowers, leaks, or sources in oppressive regimes, you need to protect identity and location. Here’s a sample threat model for that.