Tag Archives: tech

Cracking the code: Workshop gives journalists a crash course in encryption

  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”

 

White House pushes for student data regulations

WASHINGTON — When the educational company ConnectEDU filed for bankruptcy about a year ago, it tried to do what any business would — sell off its most valuable asset: student data.

Millions of students submitted personal information such as email addresses, birth dates and test scores to the college and career planning company.

The Federal Trade Commission eventually stopped any transactions involving the data after noting that they violated ConnectEDU’s privacy policy.

Some student educational records are protected through the Family Educational and Privacy Rights Act, or FERPA. Originally signed into law in 1974, FERPA essentially protects the records schools collect on students and gives parents certain oversight and disclosure rights.

The growing influence of technology in classrooms and in administrative data collection, though, is making FERPA out-of-date.

Teachers, students and parents now routinely submit information to educational services companies, such as ConnectEDU. FERPA does not regulate how these companies use that data. And there is no other federal law that does. The companies’ own privacy policies are the only limit to what the companies can do with the information users provide.

The concern is that ConnectEDU may not be the only education technology company that is trying to sell its data to third parties.

ConnectEDU’s databases, for example, were filled with students’ personally identifiable information including names, birthdates, email addresses and telephone numbers. The sale of that information to other companies is not regulated.

In order to make FERPA up-to-date, President Barack Obama, in conjunction with partners in the private sector, called for a legislation to establish a national standard to protect students’ data in January.

“It’s pretty straightforward,” Obama said in a speech at the Federal Trade Commission. “We’re saying the data collected on students in the classroom can be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling about certain students.”

Dubbed the Student Digital Privacy Act, the White House’s plan is loosely based on a 2014 California law that prohibits third-party education companies from selling student information. While other states have laws regulating and increasing the transparency, regulation and collection of student data, the California law seems to be the most far-reaching.

Because FERPA doesn’t cover third-party use, some private sector leaders have taken a vow to establish clear industry standards for protecting student data through the Student Privacy Pledge.

Created by the Future of Privacy Forum and the Software and Information Industry Association in the fall of 2014, Obama mentioned the pledge as an encouraging sign for the protection of student information.

“I want to encourage every company that provides these technologies to our schools to join this effort,” Obama said. “It’s the right thing to do. And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort.”

So far, 123 companies have signed the pledge, including tech and education giants such as Apple, Microsoft, Google and Houghton Mifflin Harcourt.

“There was a lack of awareness, information and understanding about what school service providers did and didn’t do with data and what the laws required and allowed,” Mark Schneiderman, senior director of education policy at SIIA, said. “Rather than waiting for public policy and public debate to play itself out, we figured, let’s just step in and make clear that the industry is supporting schools, is using data only for school purposes, not selling the data, not doing other things that there was a perception out there that maybe [companies were doing].”

The National Parent-Teacher Association and other groups support the pledge, according to Schneiderman.

“It is imperative that students’ personal informational formation is protected at all times,” the National PTA wrote in a statement.

The companies that signed the pledge are not subject to any policing body, but by signing the pledge they show consumers their commitment to student privacy, Schneiderman said.

But many notable educational technology companies, like Pearson Education, have not signed the pledge. Pearson was recently the subject of a POLITICO investigative report that revealed that the company’s use of student data was unmonitored.

According to the report, Pearson claims it does not sell the students’ data it collects.

The College Board, ACT and Common Application are often viewed as integral to the college admissions process, but are also not included in the pledge.

Instead, these education companies point consumers to their privacy policies, which can often be difficult to understand because of the legal jargon and ambiguous terms.

Some groups such as the Parent Coalition for Student Privacy think the pledge and the privacy policies aren’t enough.

“We also need strong enforcement and security mechanisms to prevent against breaches,” Leonie Haimson, one of the group’s co-chairs, said in a statement responding to Obama’s speech. “This has been a year of continuous scandalous breaches; we owe it to our children to require security provisions at least as strict as in the case of personal health information.”

Out of the 12 commitments listed in the pledge, only one deals with preventing leaks or breaches.

The signees must “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks,” the pledge states.

Haimson said the policies are a decent start, but do not go nearly far enough in protecting educational data.

Regardless, a bill for a comprehensive national standard has yet to be introduced despite the White House’s push.

In early February, though, the White House said that it had been working closely with Republican Rep. Luke Messer of Indiana and Colorado Democrat Rep. Jared Polis to introduce a bipartisan bill to Congress.

The bill’s release is expected by the end of the month, according to Messer’s office.MINTZERPRIVACY (9) 2