With journalist Silkie Carlo I have co-authored a ‘handbook’ on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook ‘Information Security for Journalists‘ was launched at the CIJ Summer School 2014 in London. The book will be forever freely available in a range of electronic formats – see download links below. In the four months after the initial publication in we have rewritten certain parts based on feedback from the initial readers and updated other parts to stay current with the latest software changes. Many thanks to all who gave us valuable feedback.
Altough this book was originally written for investigative journalists most of the described concepts and technical solutions are just as usable by lawyers or advisors protecting communications with their clients, doctors protecting medical privacy and of course politicians, activists or anyone else who engages powerful state and corporate organisations. Really, we’re all journalists now. Inside the book is a mailadres for getting in touch, please let us know how your are using it and what we can do better.
If you have reasons to suspect your online movements are already under some form of surveilance you should not download this book using a computer or netwpork associated with your identity (such as your home or work systems).
Several participants of journalist training programs have written articles: Information security for journalists: staying secure online by Alastair Reid (from journalism.co.uk) – A day with the surveillance expert by Jason Murdock, Offtherecord.in – Valentina Novak wrote this interview after a lecture & workshop in Slovenia last November.
From the ‘backflap’ of the book:
This handbook is a very important practical tool for journalists and it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.
Journalists were dismayed by the realisation that almost all digital communications are now being recorded; for them and their sources there are real risks and now danger in their work. This danger does not just worry reporters, whistleblowers and other sources, but all those who hear privileged information and whose privacy is considered fundamental to the courts, the practice of law, and justice in all of its meanings. Lawyers and accountants and their clients are now without the protection of client confidentiality, and are vulnerable to the secret surveillance of an increasingly authoritarian and unaccountable state.
After knowing how Snowden’s disclosures were safely presented to the public, we know that there are real safeguards and counter measures available. The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying. It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share. To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.
When planning work that must remain private and confidential it is important to carefully assess the level of threat that may be associated with it. Shop floor maintenance, building site health and safety, restaurant hygiene, and hospital cleaning may be areas where the precautions and methods described here are unnecessary or might act to complicate and slow down your work. In these cases a phone call made or received away from work or home to a source or a reporter, may ensure sufficient protection at least in making an initial contact.
People working or reporting on national security, the military, intelligence, nuclear affairs, or at high levels of the state and in major corporations should probably consider this handbook as very important to their safety.
Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and other experts advising on the project have worked to ensure its practical accuracy and usability. The authors expect that after six months, updates and some changes will be required. Please return to download the latest edition. You will not want to download this on a machine or network identified with or close to your employer or your source or your home.
Gavin MacFadyen, Director of the Centre for Investigative Journalism
Download links for the book in PDF for printing on A4 format, ePub ebook for iPhone, iPad & Android devices, MOBI & AWZ3 for Kindle eReaders, LIT for older eReaders and FB2 for Samsung Bada and other Java eReaders. For easy management of ebook collections I strongly recomend the free and Free Software Calibre application. The 1-page instruction leaflet for starting Tails USB-drives here. The entire book is also available as a set of webpages for reading on your laptop as your set it up. Slides from the Summer School 2014 lectures on information security are here in PDF and PPT.
This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages.
With journalist Silkie Carlo I have co-authored a ‘handbook’ on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook ‘Information Security for Journalists‘ was launched at the CIJ Summer School 2014 last weekend in London. The book will be freely available in electronic format and in print after the summer. Just like last year I gave lectures (slides) and ran a hands-on workshop to get journalists ‘tooled-up‘ so they can better protect their sources, themselves and their stories in a post-Snowden world.
From the ‘backflap’ of the book:
This handbook is a very important practical tool for journalists. And it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.
After Snowden’s disclosures we know that there are real safeguards and real counter measures available. The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying. It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share. To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.
Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and the experts advising the project are ensuring its practical accuracy and usability, and work with the latest technology.
Gavin MacFadyen, br>
Director of the Centre for Investigative Journalism
This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages
Over the last 10-15 years public IT in Europe has not developed in line with public interests, nor does it guarantee the fundamental rights of citizens such as privacy and freedom of expression. Tremendous opportunities in the field of economic development and employment have also been missed. Europe effectively outsources much of its information processing (software & services) to foreign parties at the direct cost of hundreds of billions of Euros (typically around 1% of GNP). The opportunity-cost to local economic growth and employment opportunities are much greater than that. Even more costly than either of these is the de-facto handing over of control of data of governments, businesses and individual citizens to foreign spies who use it for political manipulation, repression of citizens’ freedoms and industrial espionage. Although the warnings about the negative consequences of current policies date back at least 15 years, these aspects have been documented in irrefutable detail over the last year by the revelations of Edward Snowden. 12 months later there has not even been the beginning of a policy response.
It could all have been so different …
In the first 21 months of the 21st century, the dot-com bubble burst and then three skyscrapers in New York collapsed. Between these two events a largely forgotten report to the European Parliament appeared in the summer of 2001. This report described the scale and impact of electronic espionage in Europe by the U.S. and its ‘Echelon’ partners (Canada, UK, Australia and New Zealand). Besides a detailed problem analysis, the report also gave concrete examples of IT policies that governments could take to significantly limit foreign intelligence spying on Europe.
In the same period was U.S. government won one of the largest anti-trust cases its history, against Microsoft, and the EU followed this victory by launching a similar case that would also be won leading to the highest fine to a company for economic crimes in the history of the EU.
It was against this background that thinking about strategic versus operational aspects of IT in the public sector changed. The report on Echelon made it clear that reducing IT into a merely operational exercise had disastrous consequences on the sovereignty of European states with respect to, in particular, the United States (and perhaps in the near future, China, other technically capable countries or non-state organizations). The economic consequences of industrial espionage against many high-tech and R&D-intensive companies became a major concern for the government.
The IT policy of governments would from 2002 onwards be based first on the political principles of a democratic and sovereign state. This not only meant a very different policy in the field of technology selection and procurement, but also the balance between outsourcing versus in-house expertise and required an extreme degree of transparency from all suppliers. Open data standards for public information were required, and non-compliance resulted in severe penalties (although public ridicule from 2009 onward was generally the most effective). These new frameworks for public IT created a new market for service providers who based solutions on so-called ‘Free Software’ (previously better known as ‘opensource’). The high degree of transparency both in project implementation as the technology itself made for a well functioning market and made recycling of (parts-of) systems the norm. Spending on software fell sharply and the freed up budget was used for the recruitment of highly qualified IT workers under conditions that could compete with the offerings of market.
The full transparency with respect to both the IT projects and the tech itself, combined with a depth of expertise within the government, changed the market for public software and IT services. Quality rose steadily while prices remained permanently under pressure. Since all service providers had full access to all software used in government (with only a few exceptions in defense, justice and home affairs), there was a very open playing field where all providers were expendable (and those who performed below par were replaced regularly).
In addition, computer and IT education from kindergarten to university studies was fundamentally revised. Basic understanding of the operation of computers and information networks became as normal as reading and writing. From 2006 every 14 year-old was taught in school how to encrypt email and what the disadvantages were of using software whose source codes are not published. Through this awareness among young people in Europe the adoption of social media occurred very differently than in the U.S.. Young people not only had end-user skills but real understanding about what was happening to their information when sending a message or upload a photo to websites. Being careful with your private information was considered cool. The social media landscape was not dominated by a handful of U.S. companies, instead there was a landscape of federated services such as Diaspora who competed among themselves but were compatible in the same way as is the case with email. These services were sometimes somewhat centralized but, just as often, completely decentralized and run on micro-servers in many people’s homes (such as the UK-invented 35 Euro RaspberryPi).
Due to the high privacy and safety awareness online crime did not have much grip on most European countries. Hardly anyone was naive enough to log on to strange domains or websites in response to a fake email that appears to come from their bank. And the use of customized secure USB drives created by various banks was accepted as obvious for any major online financial transactions. At the level of organisations high levels of expertise and a high degree of diversity in technology implementations made for robust security that was only seldom breached. The large demand for experts in well-paid jobs also kept many would-be criminals from selling their skills for more destructive applications.
This is the IT that Europe could have had if other choices were made over the last 12 years. All the knowledge and technology for these choices were available in the first months of this century. Because these choices were not made Europe has spent hundreds of billions on software licenses and services from American companies, while there were cheaper (often free), more flexible and safer alternatives available that would not operate as a foreign espionage platform. All these hundreds of billions were not not invested in European service, training, education and R&D. The economic impact may be a multiple of the roughly $1 trillion in foreign software licenses spent by Europe this century, while the social cost resulting from manipulated politicians during transatlantic negotiations on trade or environmental matters will probably never be known.
Europe still has everything it needs to develop and implement such policies. It is not too late to turn, no matter how regrettable the policy failures of the last decade and no matter how many wasted billions. Today could be the first day of such a new course. Concrete examples in the Netherlands, Germany, France, Spain the UK and many other places show that this is not only possible, but almost immediately leads to huge savings, improved safety and independence from foreign parties in future IT choices.
It’s not often that regaining national sovereignty and the restoration of civil rights can spur national innovation and employment programs simultaneously. The only thing missing is the political will to stop rewarding businesses and governments that use their technological dominance to spy on the entire world. We have nothing to lose but our chains to the NSA.
At 12:30 on Friday 13th of June 2014 I will give the Kerckhoff Lecture at the Radboud Universities Kerckhoffs Institute for information security in Nijmegen in room HG00.068. For an audience of students and faculty who probably know more about the maths of cryptography than myself I will talk about the tech-policy implications of the Snowden revelations and why Europe has been doing so very, very little.
Imagine a whistleblower releasing detailed documentary proof of a group of organisations that dump large volumes of toxic mixed chemical waste in European rivers and lakes. The documents describe in detail how often (daily) and how toxic (very). Now imagine journalists, civic organisations and elected representatives all starting furious discussions about how bad this is and what the possible horrible consequences theoretically could be for european citizens.
Now imagine that this debate goes on and on for months as slowly more documentation is published showing ever more detailed descriptions of the various compounds in the toxic chemicals and what rivers and lakes precisely they are being dumped into.
Now imagine that no journalist, civic organisation or elected representative comes up with a single concrete and actionable proposal to stop the actual and ongoing toxic dumping or to prevent future organisations getting into the habit of illegal dumping.
Imagine also that both governments and public-sector organisations, including the ones responsable for health- and environmental matters continue not only to procure products and services from above organisations but also continue to give them the licences they need to operate.
Imagine that this goes on for month after month after month for a full year.
Now Imagine it turns out that the Government not only already knew about this 13 years before but also had a detailed report on practical solutions to clean up the mess and prevent future poisoning.
Sounds incredible does it not?
Except this is precisely how Europe has been not-dealing with the revelations by Edward Snowden on industrialised mass-surveillance of our government & civic institutions, companies and citizens.
The EU has spent most of a year holding meetings and hearings to ‘understand’ the problem but has not produced a single word on what concrete actions could regain the right to privacy for its citizens now. This while a July 2001 report on Echelon, the NSA/GCHQ precursor program to the current alphabet soup, explained the scope of the problem of electronic dragnet surveillance and made practical and detailed recomendations that would have protected Europeans and their institutions had they been implemented. Currently only Germany has seen the beginnings of policies that will offer some protection for its citizens.
On Friday the 13th of June I will discuss the full scope of the NSA surveillance problem, the available technological and policy solutions and some suggestions about why they have not and are not being implemented (or even discussed).
I will be speaking and workshopping at the 2014 Dataharvest+ conference in Brussels. This conference brings together investigative journalists, (big)data wranglers, coders & hackers to kick journalism into the 21st century.
My contribution will be a series of presentations about applied information security for investigative journalists and hands-on workshops to get security tools working on laptops. So bring yours! Slides I used are here: PPT, PDF. Some tips and links to tools. A video from a comparable worshop last year, since then the situation has turned out to be much more dire.
Dear Members of the Committee on ICT ,
On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).
As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary ‘Motion Vendrik’ that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.
Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.
This despite Justice Minister Donner’s 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:
- the government’s dependence on Microsoft was very great;
- that this was a problem ;
- and that by introducing open standards and the use of open source that could be solved.
This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.
In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.
All this means that even if IT projects according to any definition ‘succeed operationally’ these often still violate the basic rights of millions of Dutch citizens (article 12 NL – Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).
Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.
The above points, in my view, mean that a purely ‘operational ‘ approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.
This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).
That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the ‘market’ for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.
In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would ‘solve’ all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.
Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.
In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.
Obviously I am willing to explain myself further as to above matters.
With kind Regards,
June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today…
Today is the 11th of Februrari 2014,“The Day We Fight Back”. We fight against out-of-control spying on our privacy as free citizens. We fight against Orwellian espionage because we know where it leads to in the end.
The text below is inspired by the speeches of Winston Churchill in during may and june 1940. While the nature of the opponents of democracy and freedom is different today the consequences of losing the fight are just as dire. Our society and the planetary eco-system is a great trouble. We need our democracies to function and our internet to be free so we can adress the great challenges of out time.
“What Cory Doctorow and Aaron Schwartz called the fight against SOPA & ACTA is over. The battle against TTP and global surveillance continues to rage on. Upon this battle depends the survival of the internet and our democracies. Upon it depends our own way of life and the long continuity of our institutions and our culture. Once again the whole fury and might of the enemies of freedom will very soon be turned on us now.
Those working towards a police state know that they will have to break us or lose this conflict. If we can stand up to them, all of the Internet may be free and the life of the world may move forward into broad, sunlit uplands. But if we fail, then the whole world, including the United States and Europe, including all that we have known and cared for, will sink into the abyss of a new corporatist Dark Age, made more sinister, and perhaps more protracted, by the lights of perverted technologies.
You ask, what is our policy? We can say: It is to hack, by server, laptop and phone, with all our might and with all the strength that Turing can give us; to wage lulz against a monstrous tyranny, rarely surpassed in the dark, lamentable catalogue of human crime. That is our policy. You ask, what is our aim? I can answer in one word: victory, victory at all cost, victory in spite of all the terror, corruption and lies.
I have, myself, full confidence that if all do their duty, if nothing is neglected, and if the best arrangements are made, as they are being made, we shall prove ourselves once more able to defend our networked homes. To ride out the storm of surveilance, and to outlive the menace of tyranny, if necessary for years, if necessary alone. At any rate, that is what we are going to try to do. That is the resolve of the hacktivists – every one of them. That is the will of free citizens, the technologists and the creatives, linked together in their cause and in their need, will defend their native internet, aiding each other like good comrades to the utmost of their strength. Victory, however long and hard the road may be; for without victory, there will be no free culture and no culture of freedom.
Therefore we shall go on to the end:
we shall fight in Europe,
we shall fight on our browsers and our operating systems,
we shall fight with stronger encryption, and secure hardware,
we shall fight with growing confidence and growing strength
we shall defend our networks, whatever the cost may be,
We shall never surrender.
Let us therefore brace ourselves to our duties, and so bear ourselves that, if the Internet and its hacker community last for a thousand years, they will still say, “This was their finest hour”.”
No go participate or organise a cryptoparty, support people developing better tools (mail, web, secure systems and all this Free-as-in-freedom Software) or ask other people if they value being able to read without being read at the same time. Privacy is a human right according to the UN Declaration of human rights and yes, you to have something to hide as well.