The failures of the information security infrastructure
In an age of big data and mass state surveillance, the rapid expansion of interconnected networks without secure infrastructure is causing concern among many information security experts, lawyers, privacy advocates, and journalists.
To address these challenges and others, information security experts, policymakers, journalists, activists, and military officials convened at the New America Foundation’s inaugural cybersecurity summit in Washington, D.C. on February 23. Amidst the diverse set of topics and speakers, several key takeaways and themes emerged, many of which have implications for the media.
Weakened encryption was once again debated. In line with recent statements made by government and law enforcement officials, NSA Director Adm. Mike Rogers defended the stance to weaken encryption products to allow for information gathering by the U.S. government. Rogers said he thought it would be possible for encryption programs to have an entry point, within a legal framework approved by Congress or some civilian body, that could be accessed by the NSA. This position was received with skepticism by many privacy advocates and information security experts who oppose weakening encryption because it makes products, services, and networks more vulnerable to exploitation by others, violates private communications, and limits freedom of expression. According to Chief Information Security Officer at Yahoo, Alex Stamos, there is no good way to build products that are safe against some actors and not others. “It’s like the government asked us to drill a hole in a windshield and say, no you can only let the US government through that hole. Everyone knows that if you drill a hole in your windshield, eventually the whole thing will crack. You can’t build a system that intentionally subverts its own security for one purpose and then make the whole thing safe.”
Strong encryption is of particular importance for journalists. Encryption helps journalists protect the content of their communications by ensuring it is only readable to someone who can decrypt it. Anonymization tools like Tor help journalists obscure the metadata of their communications – including the location and identity of the sender – to help prevent a journalist from passive Internet surveillance which can allow an outsider to ascertain who is talking to whom and thereby track interests and behavior.
The Reporters Committee addressed the importance of encryption and anonymity devices for journalists in a joint comment with the Committee to Protect Journalists to the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. Special Rapporteur David Kaye solicited input from nongovernmental actors – including civil society, corporate actors, international and regional organizations, and national human rights institutions – for his upcoming report to the United Nations Human Rights Council in the summer of 2015.
Another issue that arose at the NAF summit was the need for private citizens and journalists to better understand where their data is going and how it can be accessed without their permission. Only when we can see our “data exhaust” will we be more inclined to take steps to minimize and obscure our data. Projects like Tactical Technology Collective’s (Tactical Tech) Me and My Shadow, a tool that shows users the traces they leave online and explores ways to mitigate them, and Tactical Tech’s more recent trackography map, which explores how the global tracking industry is reading your online behavior, are good steps in this direction.
As Stamos said at the NAF summit, security and usability of tools should not be considered orthogonal. Software companies need to ensure security is embedded in tools to make sure they are usable by the majority of non sophisticated users. A secure tool that is not usable is ineffective because it cannot be implemented securely.
As much as the profession requires tools that have security built in, information security also needs to be taught in a consistent, on-going way to have tangible results. Recent research conducted by Chris Walker and Carol Waters at the Tow Center for Digital Journalism at Columbia University reveals that information security training for journalists is largely ad-hoc or absent from newsrooms and journalism schools, and that when it is taught, it is often taught in a way that does not result in skill acquisition or strong retention. Fortunately, they put together some recommendations to help address these gaps.
Information security trainers also need to understand the psychological underpinnings of technology adoption to ensure journalists properly implement digital and operational security protections and do not risk jeopardizing their communications and their sources. As Angela Mckay, Director of Cybersecurity Policy and Strategy at Microsoft, mentioned at the NAF summit, research that specifically leverages behavioral psychology is needed to better understand how individuals, including journalists, use technology, because it could help inform adoption and utilization. Programs like LevelUp provide resources for the global digital safety training community, including information focused on understanding the psychological needs of participants undergoing security training, and individuals like Gus Andrews of the Open Internet Tools Project are researching ways to improve how we teach about technology, but more needs to be done.
Better technology is only one part of the solution. Legal and policy solutions are also needed. Information sharing across traditional organizational boundaries has long been heralded by government and law enforcement officials as an answer to deterring attacks, in part because it was a principal recommendation of the 9/11 commission. However, real risks pertain to the sharing of private citizen and journalist information without robust safeguards to ensure information is minimized and secured while in transit or stored.
Although information sharing across government agencies about potential threats and attacks is encouraged by law enforcement and intelligence officials, information sharing via social media is not welcome, at least when it involves controversial topics like the Islamic State. At the NAF summit, John Carlin, the Assistant Attorney General for National Security at the U.S. Department of Justice, mentioned he would consider pursuing indictments against individuals who assist the Islamic State with its use and production of social media. Although the many acts of IS are despicable and horrific, punishing people for sharing information online could potentially infringe on First Amendment rights of free expression and free association.
Meanwhile, proposed changes to the already broad Computer Fraud and Abuse Act (CFAA) are also worrisome to security researchers and journalists. According to the Electronic Frontier Foundation’s (EFF) legislative analyst Mark Jaycox, recent suggested changes to the CFFA could criminalize any unauthorized access to computer data—even if the data’s owner leaves it unsecured. Doing so risks chilling or criminalizing work by security researchers who provide vulnerabilities to corporations about their products, and penalizes or prevents journalists from writing about information security issues.
In a time where every company is now a technology company, journalists and news organizations need to embrace information security training and information security experts need to develop tools that are both usable and secure. Transparency on the part of governments and corporations, along with continued activism and coverage of technological issues by journalists could create the space needed for constructive dialogue and solutions rather than defensive actions and entrenched positions.
Only by working together on these issues will we be better able to improve privacy, security, and transparency, and ensure First Amendment rights and freedoms are protected and respected.