Tag Archives: surveillance

Brave new world? 5 things your newsroom can do now to protect your journalism against the Snooper’s Charter

Leave a reply

The Investigatory Powers Act has now been law for almost six months. For journalists and publishers this means having to remember that the webpages that you and your sources visit, who you call on your phone, and where you take it, are all being collected and potentially accessed by a range of authorities*.

It also gives the state the power to hack into devices and to require companies to help them compromise the security of users of their websites and apps.

But most importantly, it means understanding that unlike previous legal regimes it is likely that you will not be aware if any of this is happening, nor will you have an opportunity to mount a legal defence to argue against it.

If this makes you feel powerless to protect your sources, here are some things you can do to feel better:

Continue reading

Research on information security in local newspapers – the published version

Leave a reply

Pie chart: 88% of respondents did not know what their employers were doing about information security

Previously on OJB I posted about some ongoing research I was conducting into whether security practices in local news organisations had changed in the wake of the Snowden and RIPA (UK surveillance powers) revelations.

Now the full research paper has been published in the academic journal Digital Journalism, as part of a special edition on Journalism, Citizenship and Surveillance Society. The abstract pretty much sums it up:

“Despite reports of widespread interception of communications by the UK government, and revelations that police were using surveillance powers to access journalists’ communications data to identify sources, regional newspaper journalists show few signs of adapting source protection and information security practices to reflect new legal and technological threats, and there is widespread ignorance of what their employers are doing to protect networked systems of production. This paper argues that the “reactive” approach to source protection that seeks to build a legal defence if required, is no longer adequate in the context of workforce monitoring, and that publishers need to update their policies and practice to address ongoing change in the environment for journalists and sources.”

Other highlights of the edition include:

The machine that learns how to stop whistleblowers

1 Reply
INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY

An example of whistleblower behaviour taken from Harry McLaren’s slides

Workplace surveillance is nothing new, but this slide from Harry McLaren’s talk on Machine Learning for Threat Detection illustrates particularly well the challenges facing journalists wishing to protect whistleblowers.

McLaren is talking about malicious threats, and the way that machine learning can be used to identify suspicious patterns of behaviour. But the example given above is equally useful in illustrating the way that similar behaviour might be used to identify an employee intending to whistleblow on illegal, unethical or dangerous behaviour by his or her organisation. Continue reading

How publishers could end up helping authorities hack their own readers

3 Replies
Alan Rusbridger holding the destroyed Snowden files hard disk

The Guardian complied when authorities demanded they destroy the Snowden files

So far most of the talk about the Investigatory Powers Bill has been about the lack of protection for journalists’ sources thrown up by powers to intercept communications.

But there’s another part to the Bill which relates to facilitating state hacking – and an analysis by Danny O’Brien has thrown up some worrying ambiguity on this front for publishers – not just those based in the UK. Continue reading

VIDEO: Surveillance and the ‘1984 Generation’

2 Replies

Online video project newsPeeks have put together a documentary on surveillance. I really enjoyed it, so I’m sharing it here. Not only is the content great (newsPeeks were live at the Logan Symposium on the topic late last year so got some great contacts), but the production is a great example of online-native video (disclosure: I’m an unpaid advisor).

Continue reading

FAQ: Investigative journalism now – and its future

2 Replies

The latest in the series of FAQ posts comes from a student in Germany who is interested in how investigative journalism is affected by the financial situation of publishers, and how it might develop in the next decade. Continue reading

“Don’t be afraid: keep them afraid” and other notes from the Logan Symposium on surveillance’s first day

4 Replies
Don't be afraid. But keep them afraid.

Seymour’s parting advice to young journalists: maintain a watchdog role and hold power to account

On Friday I was at the Logan Symposium on secrecy, surveillance and censorship, an event which, as is often the case with these things, managed to be inspiring, terrifying, and confusing in equal measure.

Notably, Director of the Centre for Investigative Journalism Gavin MacFadyen opened the day by talking about investigative journalists and hackers together.

It is common to hear attacks on journalists mentioned at these events, but rare to hear an old-fashioned hack like MacFadyen also talk about the “growing number of hackers being imprisoned”, while noting the commonalities of a desire for a free press, free speech, and “a free internet”. Continue reading

The Government wants to know where you were online, when. Why journalists should be cautious

8 Replies

 

tor https infographic

The EFF have an interactive graphic which shows you what information can be grabbed when you’re using Tor or HTTPS

Home secretary Theresa May wants to be able to connect IP addresses (which identify machines) with users (those using it at that particular time).

In a nutshell this means being able to identify whether you were in a particular place at a particular time – only the ‘place’ in question happens to be virtual: a website.

Now clearly this is aimed at identifying terrorists and paedophiles. But then so was RIPA, a law which has been used to spy on journalists and intimidate staff who speak to them and to “pull reporters’ phone records in every single leak inquiry in the last ten years“, including all calls to the Sun’s newsdesk and by their political editor in one inquiry.

In recent weeks we have heard about prison officials monitoring confidential phonecalls between MPs and prisoners, and between lawyers and their clients. Continue reading

So Google scans email for dodgy images – should we be worried about scanning for sensitive documents?

5 Replies

Gmail logo

You could be forgiven for not having heard of John Henry Skillern. The 41 year old is facing charges of possession and promotion of child pornography after Google detected images of child abuse on his Gmail account.

Because of his case we now know that Google “proactively scours hundreds of millions of email accounts” for certain images. The technology has raised some privacy concerns which have been largely brushed aside because, well, it’s child pornography.

Sky’s technology correspondent Tom Cheshire, for example, doesn’t think it is an invasion of our privacy for “technical and moral reasons”. But should journalists be worried about the wider applications of the technology, and the precedent being set?

Continue reading

Four examples of different threat models

Leave a reply

My post on threat models for journalists is quite lengthy, so I thought I’d put the sample threat models from that in their own, separate post. Here they are – note that these are very simple, sketchy threat models and you would want to expand on these. But hopefully they provide a starting point. I’d also recommend checking out this resource from Privacy for Journalists.

What info do you want to keep? Passwords. Why might someone want it? To spam. What can they do? Guess password, phishing. What might happen? Damage to brand, trust.

A basic threat model for anyone with access to a key social media account – or colleagues who do.

What info do you want to keep? Communication with sources. Why might someone want it? To prevent publicaiton, smear. What can they do? Guess/hack password, phishing, legal avenues. What might happen? Story killed, credibility, trust.

This is an example of a threat model for anyone who deals with protestors, complainants, or others who might be targets of others

What info do you want to keep? Identity/location of sources. Why might someone want it? To intimidate, attack, smear. What can they do? Guess/hack password, phishing, metadata, mobile trail, more. What might happen? Source attacked, imprisoned, trust.

When dealing with whistleblowers, leaks, or sources in oppressive regimes, you need to protect identity and location. Here’s a sample threat model for that.

What info? Documents. Why? To prevent publication, identify sources. What can they do? Guess, hack, phish passwords for cloud services. Legal avenues etc. What might happen? Story killed, credibility damaged, sources don't trust.

When working with documents, you may need to prevent others getting access to them. Here’s a sample threat model for that.