U.S. J-School Digital Security Sample Slides

�Questions? Suggestions? �Reach out:�https://freedom.press/contact/

training@freedom.press

Freedom of the Press Foundation (CC BY 4.0)

README: How might these slides be used?

• We hope these slides will provide some inspiration. To that end, these slides are intended to provide examples of digital security topics that might be covered, and how visual aids might help.
• We expect instructors use these slides based on their needs for their courses and expectations of students. Ultimately, we hope instructors will modify these slides or find inspiration when creating learning materials independently.
• Make a copy of slides or the deck (“File” > “Make a Copy”). Make it your own! You don’t need to use our branding.
• Check back in occasionally! Like all digital security training materials from Freedom of the Press Foundation, we intend to keep it up-to-date.

​

​

​

https://freedom.press

README: Use or modify as needed

• Unless otherwise noted, our U.S. j-school security curriculum is Creative Commons-friendly (CC-BY 4.0), meaning that you can use or modify it as needed. When using the slides, we only ask that you give us attribution somewhere in your deck:

Freedom of the Press Foundation (CC BY 4.0)

• You don’t need to use our branding, if you don’t want to! Within any slide, click “Layout” and change the template to “Absolute zero branding” for a blank background.

​

​

https://freedom.press

Legal requests in the U.S.

https://freedom.press

We’re going to talk about authorities used by U.S. law enforcement to access electronic data, and implications for journalistic work.

​

This is not about intelligence agencies or their capabilities.

https://freedom.press

Data you may need to keep confidential in your work

• Work-related notes, possibly stored in apps.
• Unpublished work materials.
• Location data (e.g., cell tower records).
• Conversation metadata: Information about who you’ve been talking to (e.g., who spoke to whom, when, how long).
• The content of your conversations (e.g., in messaging apps).

https://freedom.press

Reminder: The more places your data resides, the more places that may be compelled to disclose it!

Hello!

Hello!

Service provider�(e.g., email provider)

​

Intermediaries�(e.g., ISP)

​

https://freedom.press

Good news / bad news: We have strong constitutional protections in the U.S., with some caveats

• 1st Amendment protections to journalists’ right to publish. But the right to protect sources and communications is much less cut and dry.
• 4th Amendment protections for content of Americans’ communications, without a warrant.
• A lot of metadata — information about peoples’ communications, such as who spoke to whom — is unprotected.

https://freedom.press

If caught up in a law enforcement investigation, prosecutors or courts may compel third parties to share your data

• While it doesn’t happen often at the federal level, at the local and state level level, journalists are sometimes compelled to take the stand.
• Particularly at the federal level, data stored with third parties can often tell investigators everything they need to know.
• U.S. companies may be compelled to disclose user / subscriber data in response to valid legal requests from U.S. courts.

https://freedom.press

Roadmap

https://freedom.press

Roadmap

https://freedom.press

What’s a subpoena anyway?

• A subpoena is an order to (1) testify or (2) bring evidence before the ordering authority, or face punishment.
• Generally, subpoenas need to be relevant to the investigation, proportionately onerous to the recipient, and proportionate in scope. In many cases, this doesn’t require a judge’s sign-off. This is a very low bar.
• Subpoenas are the simplest form of surveillance procedure, but are extremely powerful, and can provide clues about who journalists communicate with.

https://freedom.press

Source: Associated Press

https://freedom.press

Email metadata requests with D Orders

• Email metadata (to, from, time, length) requires a slightly higher level of evidence than a subpoena requires.
• This authority is governed by the Stored Communications Act, Section 2703(d) — sometimes referred to as a D Order.
• Based on “Reasonable Articulable Suspicion” (RAS) standard, which is infrequently rejected in courts.
• RAS is a slightly higher standard than a subpoena — a D Order must be based on some corroborated evidence.
• ​

https://freedom.press

What are the implications of this kind of legal request for reporting?

https://freedom.press

Another example: Ali Watkins’ emails and phone calls

• In 2017, records from two email accounts and a phone number belonging to NYT journalist Ali Watkins scooped up as part of DoJ leak investigation.
• Watkins and the NYT were not given advanced notice, nor opportunity to contest the requests.

Credit: X/aliwatkins

https://freedom.press

Metadata requests have lower burden of proof than requests for message content

Conversation metadata includes…

• Who sent it?
• Who’s it to?
• When was it sent?

Metadata may be requested with a subpoena or court order. Even properly encrypted messages produce metadata.

https://freedom.press

Metadata and account information usually require a subpoena or court order, such as a D Order.

​

For communications content, courts increasingly require a warrant.

https://freedom.press

What’s a warrant anyway?

• A warrant is a specific type of court order to authorize a search or arrest. This is a higher bar than needed for a subpoena or D Order.
• Requires probable cause: A government officer tells a judge what reason they have to believe a search is necessary.
• Requires particularity: A warrant must be limited in scope to what’s necessary for the investigation.

https://freedom.press

Fox News’ James Rosen’s emails seized

• In 2010, DoJ obtained search warrant for Rosen’s email.
• FBI said there was probable cause Rosen violated the Espionage Act by soliciting classified information from a former State Department official.

https://freedom.press

Google - Way of a Warrant: https://www.youtube.com/watch?v=MeKKHxcJfh0

Google - Way of a Warrant: https://www.youtube.com/watch?v=MeKKHxcJfh0

​

https://freedom.press

In other words…

• Subpoenas for things like subscriber information (e.g., a user’s name, physical address) need to be relevant to an investigation.
• D Orders (for email metadata) must meet slightly higher “reasonable articulable suspicion” standard.
• Warrants for message content must meet a still higher bar, requiring probable cause.

https://freedom.press

In other words…

https://freedom.press

Generally, cell phone location records require a warrant

• Your phone may broadcast your location to nearby cell phone towers — sometimes called cell site location information.
• In a 2018 case, the Supreme Court held that historical cell site location information requests demand a warrant.

Telephone companies

​

https://freedom.press

BUT… Some agencies purchase cell location records

Instead of subpoenaing records, Immigration and Customs Enforcement (ICE) has purchased cell location records from Venntel, a data broker. The legality of this behavior is still unclear.

Source:_https://www.wired.com/story/can-government-buy-way-around-fourth-amendment/

https://freedom.press

Requests for live information about phone calls

• Logging call metadata. Pen/trap orders pertain to live logs of communications involving a targeted phone number. Pen/traps only require relevance to an ongoing criminal investigation.
• May include other metadata, such as length of the call, whether call was answered.
• Pen/trap is short for “pen registers” and “trap and trace” devices, which are used to conduct this surveillance activity.
• Wiretapping phones. Wiretap orders pertain to requests for call content. Similar to warrants, wiretaps require probable cause.

https://freedom.press

Cloud services share many rules with communications data

• Some cloud services (e.g., Google Drive) also have messaging components. What we’ve discussed before also applies to messaging on cloud services.
• In recent years, content stored in cloud services generally been considered protected under the 4th amendment, and requires a warrant for searches.
• Cloud metadata (e.g., when a file was uploaded) is less demanding, and usually requires a subpoena.

https://freedom.press

Pick a company! Use their transparency report to see how they’ve responded to requests for their most recent 6 months:�

accessnow.org/transparency-reporting-index

https://freedom.press

What about legal requests from other countries?

• Sometimes, U.S. companies may be compelled to respond to foreign law enforcement requests — for example, in international criminal investigations where the U.S. has signed onto a mutual legal assistance treaty, or have other agreements with the U.S. (e.g., under the CLOUD Act).
• Foreign intelligence services may play by different rules, and may not ask permission get ahold of targeted data.

https://freedom.press

If you only take one thing away…��Assume third parties may be compelled to share your data, and act accordingly.

https://freedom.press