Tag Archives: Snowden

Cracking the code: Workshop gives journalists a crash course in encryption

  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”

 

Privacy: Then and now

Americans value privacy. We close and lock our doors when we get home at the end of the day. We close the blinds when we change clothes so the neighbors can’t peek. If someone wants to visit, they don’t just come over unannounced–they call or text first. In terms of technology, we set passcode locks on our computers and smartphones.

A 2014 Pew Research poll asked people to define “privacy” in one word. The most popular answers were security, secret, personal, alone, information and business.

But today, it’s possible to follow your Internet searches, see who you email, text and call, track your geographical location at all times, monitor your purchases and even track your credit card and phone bills.

The trackers include everyone from family and friends to companies, marketing agencies, the government and law enforcement. From basic information posted on social media, to GPS tracking on your smartphone, people around the world can learn a lot about you from your Internet activity — even when you aren’t intentionally on the Internet. Combining these various components gives them a pretty good idea of what you do, your likes and dislikes, and who and where you are.

You know that nightmare where you’re standing naked in front of an audience? Well, this is the very real 21st century equivalent.

Nearly every app on the modern smartphone is programmed with GPS. Whenever you walk by a WiFi-enabled store, café or home with your Wi-Fi turned on, it registers your device– creating a virtual path of your movement. Do you ever search Google for something, and minutes later see advertisements for it on your sidebar or Facebook? That’s not a coincidence.

In 1965 Gordon Moore, co-founder of Intel, made a prediction known as Moore’s Law: computing power doubles every two years. In other words, computers process large amounts of data faster than ever before. That’s why those Google searches turn into ads so quickly.

Further, the price of data storage is steadily dropping. In 1991, one-gigabyte hard drives cost around $2,700. In 2007, one terabyte (1000x GB) hard drives cost $375. Currently, one terabyte drives cost around $60.

What happens when infinitely faster processing meets infinitely cheaper storage?

“It starts to infringe upon privacy,” said Paul Rosenzweig, cyber and homeland security expert.

So what right do Americans have to privacy?

The Founding Fathers wrote the Fourth Amendment to the Constitution in 1791. It grants citizens the right to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Obviously they didn’t have Internet security in mind. Instead, it was a response to Britain’s “general warrant” allowing soldiers total access to search American colonials and their homes.

Let’s translate this to cybersecurity: without a warrant, the government cannot keep surveillance on devices for which individuals have a reasonable expectation of privacy. It also cannot physically take these devices to later use as evidence in court.

Fast-forward nearly 200 years to the Privacy Act of 1974. This legislation came after concerns about the government’s collection, retention and use of personal data. The federal government has a number of databases with information on individuals, both citizens and noncitizens.

The Privacy Act of 1974 set four basic restrictions on the government regarding these databases. First, it required government agencies to show individuals all records kept on them if requested. Second, it set “fair information practices” that agencies must follow when collecting and saving data, such as giving notice that it is collecting the information, how it is storing it and how it is protecting privacy. Third, it restricted the ways information can be shared with other people and agencies. Fourth, it allowed people to sue the government if it violates these regulations.

Even though the Privacy Act was meant to increase government transparency, it contains many exceptions and loopholes.

For example, nongovernment entities, like email and phone providers and app developers are barely restricted when it comes to information collection. They are legally required to disclose in privacy agreements the information they collect (yes, those long, size five-font agreements that very few people bother to read), but that’s about as far as regulation goes. Further, these companies are required to provide government agencies with these user records whenever requested, leaving virtually no choice.

That’s why privacy advocates like Amie Stepanovich encourage companies to only collect information completely pertinent to the functioning of the business.

Stepanovich is senior policy counsel at Access Now, an international digital rights organization.

Stepanovich also urges further safeguards for personal privacy, such as encrypting emails, turning off smartphone app location services and creating secure passwords for online accounts. While these precautions–ranging from simple to very skillful–can certainly aid in Internet security, there’s no surefire way to be anonymous online.

Privacy professionals know that it’s impossible to function in 21st century society without being active online. They also know that, though it means being tracked, keeping location services turned on for some apps can make life easier and, honestly, more fun. Who wants to carry around–and decipher– a map when a GPS provides voice activated turn-by-turn directions? Similarly, think about apps like Starbucks’ that send alerts and coupons every time you’re near a store.

We’re okay with giving Starbucks our location, and maybe even letting Google track our searches, if it means we’ll be notified of sales. But when did we consent to give our purchase histories to credit companies, address histories to data aggregation companies, or travel habits and telephone records to the government?

Americans have mixed feelings about digital surveillance. Many are willing to sacrifice some privacy in exchange for stronger national security. Wouldn’t we all rather the government use cyber tracking to identify and stop terrorists through before they attack?

But specifically after the Snowden leaks, many Americans have become skeptical of the government’s digital surveillance. The Pew Research poll found that 80 percent of adults believe Americans should be concerned about the government monitoring their phone and Internet activity.

Even more are concerned with company surveillance. That same poll showed that 91 percent of adults “agree” or “strongly agree” that consumers have lost control over how companies collect and use their personal information.

While 61 percent said they would “like to do more” to protect their anonymity online, 76 percent consider that a difficult feat.

Others don’t find any reason for online anonymity.

The “I have nothing to hide” argument is a popular one. But critics say no one wants their entire life exposed, no matter how “good” of a person they are.

Too much privacy may enable corrupt behavior. Too little privacy may bring Orwell’s Big Brother to reality. People act differently when they know they’re being watched, and Americans are being watched now more than ever before.

In 1999, SUN Microsystems CEO and founder Scott McNealy famously said, “You have zero privacy anyway. Get over it.” We may be moving that way.