1 of 32

Data Security: How to protect yourself, your sources, and your stories

Julien Martin

Data & Research Unit

(01/2016-01/2019)

World Conference of Scientific Journalists

Lausanne, 4 July 2019

2 of 32

It’s never going to be fully secure

Leaks, breaches and attacks can occur everywhere

People
Devices
Networks
Remote services

Understand technologies, procedures and their limits

When possible, avoid technology; use it when needed, not by default

Practical decisions depend on your threat model (context)

bit.ly/wcsj19-datasec

3 of 32

Threat modeling or what’s the situation?

What do I want to protect?

(documents, names, locations, people, device, …)

From whom? Who is (not) a potential threat?

(corporation, government, criminal organization, …)

What are the risks? What can they do/afford?

(Life threat, physical or legal harassing/attack, theft, eavesdropping, revealing source’s identity or a crucial document, …)

What can I afford? (effort, time, inconvenience, people, tech., …)

bit.ly/wcsj19-datasec

4 of 32

Some security and privacy principles

Kerckhoffs’ principle: “The method must not need to be kept secret, and having it fall into the enemy's hands should not cause problems.”

Security and privacy triads:

<Confidentiality, Integrity, Availability> and

<Security, Usability, Functionality> are

inter-dependent properties

Improving one comes at the expense of the others.

bit.ly/wcsj19-datasec

5 of 32

Some security and privacy principles

bit.ly/wcsj19-datasec

6 of 32

Data security, practically

7 of 32

Prefer passphrase over password

Passphrases are

usually stronger

and easier to

remember than

passwords.

https://xkcd.com/936/

bit.ly/wcsj19-datasec

8 of 32

Set a single master passphrase

A password manager generates and

stores “strong” and unique passwords

for each of your accounts, from a single

master passphrase.

e.g. Keepass

bit.ly/wcsj19-datasec

9 of 32

Set up two-factor authentication

2FA requires a second step of verification for log in

Gmail, Facebook, …

e.g. a code generated by the Google Authenticator app on your phone.

npinfo.com

bit.ly/wcsj19-datasec

10 of 32

Encrypt your devices

Enable full disk encryption of your devices, in case of theft

Veracrypt provides plausible deniability, especially useful for travels / customs checks

(Allows hidden disk volumes and hidden operating systems)

Accept data from sources with SecureDrop

bit.ly/wcsj19-datasec

11 of 32

Share PGP encrypted files

Generate your own PGP key pair and
Distribute your public key; keep your private key safe
Encrypt files for the recipient’s public key (may be you)
Decrypt received files with your private key

Use tools that follow OpenPGP standard:

GnuPG on Linux

GPG Suite on Mac OS X

Gpg4win on Windows

bit.ly/wcsj19-datasec

12 of 32

Send PGP encrypted emails

FlowCrypt (Gmail) or Mailvelope (Webmail)

Enigmail (Thunderbird)

ProtonMail

Set message expiration, if possible

Email and messaging services leave traces on servers (metadata)

bit.ly/wcsj19-datasec

13 of 32

Use encrypted messengers

Signal Keybase

Wire Olvid

Set message expiration, if possible

Email and messaging services leave traces on servers (metadata)

Olvid claims metadata encryption (but is a recent product)

bit.ly/wcsj19-datasec

14 of 32

Beware the metadata

— “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

Stewart Baker, NSA General Counsel

— “Absolutely correct, (...) We kill people based on metadata.”

General Michael Hayden, former director of the NSA and the CIA

www.nybooks.com/daily/2014/05/10/we-kill-people-based-metadata/

bit.ly/wcsj19-datasec

15 of 32

Hide your location and activity

Hide IP address and activity from third-parties ( not all!) with

over a Virtual Private Network

(VPN provider can log your IP)

NordVPN , ProtonVPN , RiseUpVPN

bit.ly/wcsj19-datasec

16 of 32

Hiding your location and activity

Comparitech.com

bit.ly/wcsj19-datasec

17 of 32

Mitigating the risks, in general

Prefer passphrases over passwords
Use two-factor authentication
Encrypt (meta)data & communications
Minimize data lifetime
Beware of the metadata
Spread information over different channels
Choose open source and mature technologies
Prefer running software on your own machines

Whenever possible, turn your devices off and do things the old fashioned way

bit.ly/wcsj19-datasec

18 of 32

If you can’t mitigate the risks anymore

has a mission: bypassing any form of censorship by publishing [your] stories.

We offer journalists working on a sensitive issue a secure way to backup their work with us.

In case something happens to the journalist, we will be able to pick up the investigation, complete it, and publish it broadly.

bit.ly/wcsj19-datasec

19 of 32

How ICIJ’s Datashare project will help journalists breach borders

20 of 32

The International Consortium of Investigative Journalists

A small non-profit organization based in the US

A global network of:

249 investigative journalists
in 90 countries

A pioneering data journalism team

bit.ly/wcsj19-datasec

21 of 32

~ 370 journalists from 75 countries

bit.ly/wcsj19-datasec

22 of 32

Real-world Impacts

$1.2+B

bit.ly/wcsj19-datasec

23 of 32

From a single data provider

Knowledge Center

bit.ly/wcsj19-datasec

24 of 32

To a global network of data providers

Knowledge Center

bit.ly/wcsj19-datasec

25 of 32

DataShare: security by design

github.com/ICIJ/datashare
Runs on your own machine
Creates a peer to peer, distributed network
Uses two-factor authentication
Allows anonymous credentials and connections

Security work in collaboration with the Security and privacy engineering research team at EPFL, Lausanne

bit.ly/wcsj19-datasec

26 of 32

Empowering reporters

Gabriela

ICIJ member

Gabriela is awash in a flood of potentially damning documents linking a government minister to contract price-fixing.

We’ll call our fictional minister João Silva.

bit.ly/wcsj19-datasec

27 of 32

Empowering reporters

Gabriela

“João Silva”

Lucas Machado

Engenharia Inc.

São Paolo

bit.ly/wcsj19-datasec

28 of 32

DataShare processing chain

(3) Extract Names

(2) Extract Text

(1) Scan Folder

bit.ly/wcsj19-datasec

29 of 32

DataShare global network

Gabriela

ICIJ member

Knowledge Center

Would someone have documents about

João Silva ?

Hey! There’s a match

for João Silva!

bit.ly/wcsj19-datasec

30 of 32

Connecting reporters’ data

Gabriela,

ICIJ member

Anastasia, ICIJ member

Can I get access to some of your documents?

Maybe. Who are you and what was your query?

I’m Gabriela and had searched for João Silva

Alright, let’s have a conversation first.

Here are the documents

about João Silva

bit.ly/wcsj19-datasec

31 of 32

Some References

Security in a Box - Digital security tools and tactics -- Tactical Technology Collective
Surveillance self-defense -- Electronic Frontier Foundation
When the weakest link is strong: secure collaboration in the case of the Panama Papers
The field guide to security training in the Newsroom -- OpenNews
Seven digital security habits that journalists should adopt -- RSF
Safety guide for journalists - A handbook for reporters in high-risk environments -- RSF
Security for Journalists -- Jonathan Stray, Opennews
Digital Security Kit for Journalists and Bloggers -- ICFJ Knight Fellow Jorge Luis Sierra
How ICIJ’s Datashare project will help journalists breach borders -- ICIJ
Journalist Online Security Tips -- ProtonMail
Digital Security -- RiseUp
Secure Messaging Apps Comparison -- securemessagingapps.com
Metadata-Private Communication for the 99% -- Yossi Gilad, MIT and Boston University
Is your VPN secure? -- The Conversation
How does Tor work? -- Robert Heaton
Diffie Hellman Key Exchange in Plain English -- security.stackexchange.com
Pretty Good Privacy -- Wikipedia
Kerckhoffs’ principle -- Wikipedia

bit.ly/wcsj19-datasec

32 of 32

Thank you!

datashare.icij.org

julien.pierre.martin@gmail.com

bit.ly/wcsj19-datasec