-
Notifications
You must be signed in to change notification settings - Fork 1
Research: Digital Privacy and Security
I hold digital privacy office hours every Tuesday at 11 Pacific. My office hours are primarily for my colleagues at BuzzFeed, but I'm happy to take questions from outside the office. These are my notes. Keep in mind that they're very much geared towards journalists and their needs at work. Your needs may vary.
-Amanda
My guiding principles are these:
-
Software changes, but knowing what you can protect and how you can protect it will serve you well even as the individual tools evolve.
-
There are a lot of good questions you can ask about how to choose tools. Don't let all those questions stand in the way of getting started.
-
Threat modeling is smart and it is worth thinking about your specific circumstances, but normalizing privacy and encryption goes a long way towards making it possible for other people to communicate securely. So consider making some choices in solidarity with people who really need that privacy.
- Using software builds community around software and community is core to success. The more people there are using a particular tool, the more usable it is. If you don't believe me, I can explain.
- If the only people bothering with encryption are dissidents who have something to hide, then encryption itself is a sure sign that you're up to no good. You can protect other people's right to dissent by encrypting your own mundane conversations.
- Surveillance Self-Defense Against the Trump Administration, Micah Lee, The Intercept, November 2016
- A 70-Day Web Security Action Plan for Artists and Activists Under Siege Candace Williams, November 2016 I don't actually know a ton about Candace, but the suggestions in this post are definitely worth considering.
- Securing Your Digital Life Like a Normal Person Martin Shelton, November 2016. Martin is an OpenNews Fellow at NY Times/Coral who is working on a PhD on how journalists manage information security.
- Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment is, as the title suggests, written for researchers and focused on harassment, but it includes excellent resources on protecting from doxxing. October 2016
- Tinfoil Press is a wide ranging message board network that covers surveillance topics.
- Security in a Box is a great collection of resources and context, but keep an eye on publication dates. Some of their content is not super current.
- Surveillance Self Defense is the EFF's modular guide. It's a little hard to find specific information, but they have a lot of great resources.
- Susan McGregor's Digital Security for Journalists is journalism focused and provides a lot of great context, but it was published in June of 2014 and hasn't been updated since. Excellent for context and framework, but consider the possibility that there might be better options for actual tools.
- Violet Blue's Smart Girl's Guide to Privacy is actually a book. I haven't looked at it but it comes highly recommended.
- I haven't watched Jonathan Stray's Pratical Digital Security for Journalists but someone called it "awesome," so.
- Level Up has great curricula pieces you can adapt, mix, match.
- Digital Security training resources for security trainers, Winter 2016 Edition
- Tactical Tech’s Training Curriculum
Tip of the Week: If you haven't tackled the basics, start there.
a: Set up two factor authentication for most services, b: make sure that you're updating your operating system and installed software regularly, c: install Privacy Badger or an ad blocker. d: Make sure there's a lock on your phone screen.
Tip of the Week: Text messages are really easy to encrypt.
That's easy. Just do it. I find it hard to use for calls (they get choppy) but for SMS there's no reason not to. Plus, normalizing encryption for mundane conversations makes it a lot easier to protect dissent.
Tip of the Week: Doxx yourself before someone else does.
Look yourself up on Intelius, Pipl, PeekYou, Spokeo to get a sense of what is out there.
And then a few other places to take stock: what is public in your ...
- Facebook account?
- WHOIS records (if you own a domain). I changed the domains I own so that my home address is not attached to them.
There are some things you can't hide. Voter registration is public information, as are many real estate registries.
https://www.privacyrights.org/ is a good resource, especially their list of People Search & Data Brokers.
Note: I use a fake birthday when I register for sites that ask for it. I usually use the same fake birthday, so I can remember it when I need to. It's nice when all your friends know it is your birthday -- 🎂🎉🎂🎉 and all -- but consider what you're trading.
I resisted this for a long (long) time because the idea of storing my passwords with a third party didn't sit right with me, but a series of conversations with some very smart privacy and digital security trainers convinced me that even centralized proprietary services (Okta, LastPass, 1Password) are better than using the same password over and over and keeping it on a sticky note under your keyboard.
I went with KeePass, on Martin Shelton's advice because I'm willing to put up with some inconvenience if it means I have (a little more) confidence in the security of my key store.
Sad truth: there are not good tools for encrypting email without dropping down to the command line. Mailvelope is designed to work for webmail, but it can be super hard to use. Enigmail is a Thunderbird plugin but I found it, also, pretty hard to set up and manage. EFF's Surveillance Self Defense has some resources on setting up Enigmail though.
Other tools:
- Proton Mail (with notes on limitations)
- Mailpile
- Tutanota (also a free encrypted mail service)
Recommended Reading: Introduction to Public Key Cryptography for a great introduction to what is happening under the hood or Why Email Encryption Matters for context on email.
Two factor authentication is great for keeping h@x0rz out of your Google Docs, but if your threat model includes subpoenas, you're dependent on Google's subpoena policy. And a related but distinct problem is that, while Dropbox is a superhandy way to make sure you have access to your files from as many computers as you use, storing unencrypted files on Dropbox is definitely perilous, from a privacy standpoint.
Full disclosure: I have used Dropbox to coordinate two mortgage applications. Scanned every last bit of personal financial data and organized it into folders. I deleted those files recently, but I didn't purge them yet. Will do that.
I asked around about good answers to both questions (secure collaborative editing; secure storage between computers) and got the following suggestions, which I haven't yet looked closely at. Keeping these notes are edited some from the original but for the moment I'm just cutting and pasting...
Cryptpad is an encrypted Etherpad clone. Their system encrypts documents in your browser before uploading them to the server. Your decryption key is incorporated into the URL, but not stored (it's tucked into the fragment identifier -- the portion of the URL after the # -- so the only way to decrypt the page is with the full URL. Their privacy policy is pretty good, but it is definitely conceivable that they could be hacked or otherwise compelled to add malicious code that would circumvent their own encryption by grabbing the fragment identifier. Still: it is one interesting option for collaborative document editing.
CrypTag Notes is a shared note-taking app that is open source and uses end-to-end encryption. Instead of a centralized server (most services, including Google Docs, Cryptpad, Signal use a centralized server), CrypTag Notes lets you decide how and where to store notes. So you can use it with a file-syncing service (like Dropbox), over Sandstorm or on your own server. You can run it over Tor, which wouldn't protect the data in a file but would anonymize contributors. Big drawback: only one person can edit at a time. Big advantage: it's a desktop app, first. So you don't have to trust anyone with data storage, you just need good key hygiene. It's still rough around the edges, but it's very useful and usable in its current form.
BoxCryptor seems like a very usable solution for encrypting files that you're storing on Dropbox. Not a collaboration tool, but great if you're using Dropbox as your default file server. It's proprietary, though, and though Lifehacker likes it, I haven't found any endorsements that impress me.
Cryptomator is free and open source and very similar to Boxcryptor. It could use some usability/UX help for sure, but it seems to work OK.
Edited Feb 27, 2017
Obviously, step on is Secure Drop -- information on using BuzzFeed's instance is at https://tips.buzzfeed.com/. You'll need Tor Browser, but it is a good idea to install Tor anyway and use it sometimes. If more people use Tor Browser, it is less interesting that any one person is using Tor browser. So use it to give cover to folks who need it, and you'll have it when you need it.
But here are a few other ways to share information discretely.
-
Firefox and Chrome both give you the option to browse without storing any history. In Firefox, you can open a
New Private Window, in Chrome it's calledincognito. If you're not worried about someone accessing your web traffic upstream from you, it's already on your computer. -
Tutanota allows you to create an email address and encrypt mail with it.
Together that means that if you're already in touch over a secure messaging app like Signal one option (again, depending on your threat model) is to use private browsing and create a pair of burner addresses on Tutanota and use that to share files. As long as you're always using "incongnito" or "private" mode, there won't be a record on your computer that you've been accessing <tutanota.com>. And by using a throwaway Tutanota address, you can avoid having a record of the correspondence stored in your Sent folder.
More on this TK, but don't download a random zip file and open it on your computer unless you want malware galore. Or spyware. One USB project: https://www.circl.lu/projects/CIRCLean/
More methods to make sure you can open files without compromising your computer TK, but only if you ask for them.
As a general rule, if you're going to publish a sensitive file that was provided to you by a source, you should make sure you're stripping out any hidden data that might identify your source, or perhaps their location.
So how do you make sure you're not publishing any untoward metadata? That depends.
If you have a PDF, PDFtk is your friend. You can see all the metadata attached to a particular PDF with pdftk in.pdf dump_data output report.txt -- and if there's data you'd like to cull, you can use vim -b in.pdf to open your PDF in vim, where you can actually find the Info strings, which are in key/value pairs. If you search by the key name (eg. Creator or Producer) you might find the values as strings, or as hashes. Replace the values with 00s and you should be good. There's more good detail at stack overflow. Depending on the document you might need to use qpdf too.
If you have a Word Document you probably want to just output it as a PDF to start with. Word documents often contain a ton of data about past edits. You also run the risk of re-distributing a virus. So just print it to PDF.
An Excel Spreadsheet is a big can of worms. The best approach to sanitizing a spreadsheet depends on why you want to publish it. So we can cross that bridge together once we get there.
If you have photos, video or audio files, they often contain metadata that can be quite revealing. So start with exiftool -- that will show you most of the metadata attached to a file, which might include things like the model of the camera or recording device that was used to capture it, along with the date and time of capture and modification.
On Linux, if exiftool isn't already installed, you can install it with sudo apt-get install exiftool. If you're a Mac user, start here and let me know how it goes. Once you know what metadata is attached to the file, you can strip out a lot of metadata with ffmpeg or exiv2.
I've had good luck with exiv2 rm -da example.jpg or This string --
ffmpeg -i in.mov -map_metadata -1 -c:v copy -c:a copy out.mov
will do the trick -- -map_metadata -1 flag creates an empty metadata source and overwrite your metadata with that. -c:v copy will copy the existing video codec from your file; -c:a copy will copy the existing audio codec. You might actually want a new codec, especially if you want to obscure all information about your audio or video source (eg. if you don't want anyone to be able to tell that this video was probably recorded on an Android phone)
I've also been looking into hachoir which is a pretty intriguing tool. Try hachoir-metadata in.mp4 and hachoir-urwid in.mp4 will give you a good indicator of what you can see with either tool. So far, the tools described above are better fits for viewing and scrubbing metadata, but I may spend more time with Hachoir.
Once upon a time, Tails included a "Metadata Anonymisation Toolkit" or MAT. Development is stalled but their page is a good explanation of points of concern. And Tactical Tech has a solid, but undated article on Exposing the Invisible. Before you use their suggested resources, double check that they're still actively maintained!
Most digital privacy workshops and curricula start with a conversation about "threat modeling": articulating what "threats" to your privacy, or the integrity or security of your data you're concerned about and then assessing the ways in which you're vulnerable to those threats. If you're not familiar with the concept, EFF has a great introduction to threat modeling.
Consider solidarity when you're taking stock of your digital privacy. The more we all encrypt our private conversations, the less suspicious it is when two people who genuinely need privacy begin an encrypted conversation. And the more we all use tools that protect or respect our privacy, the more accessible those tools are to other users.
Plus, people change and our threat models change. The more you can incorporate as basic hygiene, the easier it is to take stock when your landscape changes radically.
All of that said, your current threat model is a good place to start to prioritize. This is a good starting point