Jonathan Stray, a professor at Columbia University’s Graduate School of Journalism, regularly teaches threat modeling to journalists and activists. The journalist and computer scientist talked to DW Akademie about the importance of threat models and what to consider when designing one. He provides a concrete example to give a better idea of how they work.
Why is threat modeling important?
A lot of people assume that security comes from a tool or setting up their computer a particular way. But that’s not where security comes from. Security comes from having an understanding of the threats you face as a journalist or an activist and having a plan to counter those threats. So to ask if something is secure is not really a sensible question. You can only ask if something is secure relative to a particular threat.
And this is where threat modeling comes in?
If you are asking questions about security, then presumably there is something you are worried about. A threat model is a way of writing down your assumptions about what could happen. There are four basic questions you need to ask in a threat model:
What do I want to protect? Normally, there is some sort of information you want to keep secret. That could be what you’re talking about with your sources, it could be the identity of the sources themselves or it could be that you are working on a story or that you are even in the country.
Who is trying to do something that I don’t want? In security language, this is the adversary. The adversary could be the subject of the story if you are researching criminal activity, it could be the authorities in one form or another, or it could even be a competing newsroom. You have to know who it is.
What can the adversary do? If your adversary is the local authorities, how can they get the thing you don’t want them to have? Can they monitor your communications? Can they steal your laptop? Can they walk into your office and use your computer during your lunch break? Can they arrest you and force you to give up a password? Can they stop you at the border and search your camera? It’s a question of their capabilities and that’s different depending on who the adversaries are.
What happens if the adversary wins? In other words, what is the risk? Does it mean you can’t publish the story? Does it mean someone goes to jail? Are you going to get someone fired? Are you going to ruin someone’s career? Or if you are working in conflict zones, are you going to get someone killed? It’s really important to understand what the risk is. Because an analysis of the risk is going to tell you how careful and how paranoid you have to be and whether you can do it at all.
You teach threat modeling to journalists at your university and give them different scenarios to write a security plan for. Let’s take look at one of them about a photojournalist in Syria who has digital images to get out of the country.
In this scenario, I was interested in how the AP or BBC got their images out of Syria. So you ask yourself the four questions again.
Who is the threat? It is the Syrian government or Syrian security forces in some form or another. So it is a pretty serious threat.
What do you have to protect? In this scenario, you have to protect the identity of your sources. You are talking to rebel fighters or anti-government forces and you don’t want the government to know who they are. And because they are talking to a foreign journalist they are even more at risk. So what it comes down to is you can’t let them see your images and you can’t let them get your address book. You don’t want them to track your movements either.
What can the adversary do? You are going to have to leave the country at some point. You have to assume you are going to get stopped at the border and all your gear is going to get searched and all your memory cards and hard drives are potentially going to be taken away from you and copied. So you have to assume that all your data is going to be seen when you leave the country. They may also be tracking your movements through your phone. This means if you are meeting with sources, you probably shouldn’t be carrying your phone. Your sources are going to have phones too, so all the authorities have to do is see who you met with more than once. Who else came in close proximity?
What is the risk? In this case, it is maximum risk – your sources are going to be arrested and tortured or killed. So it is a pretty serious scenario.
What do you do once you’ve done your threat model?
In this case, it means you have narrowed down your needs to how can you get the photos out without having them copied at the border. Then you can start thinking about tools, such as encryption and VPNs to get the data out (VPNs = Virtual Private Networks, which are used for secure connections. See our post on VPNs to understand more on what they are and how to use them). It would be best if you weren’t carrying anything when you crossed the border at all. So one solution is to set up a VPN or another kind of secure connection and upload the material before you try to leave. There are various possible solutions but you can’t see the solutions until you have asked yourself the questions.
And the journalists who decide to leave with the material on them, isn’t one of the problems with encryption that you can just be tortured until you give up the password?
Source: xkcd.com
(There is a case where a British filmmaker’s materials fell into the hands of the Syrian authorities, read about it here)
So you might get beaten up, but at least your source won’t get killed.
This is key in journalism and journalism ethics. There are basically two kinds of risk – risk to you and risk to your sources. You are allowed to choose to take personal risks but you are not allowed to choose to create risk for your sources without their consent and understanding. This is a major difference that has to go into your planning.
Post a Comment