Golan Levin: Next up is Runa Sandvik. She’s an engi­neer with the Tor Project, and high­ly knowl­edgable about pri­va­cy and secu­ri­ty and how it inter­sects with cul­ture. I’m thrilled to intro­duce Runa Sandvik.

Runa Sandvik: My name is Runa Sandvik. I fig­ured I would give a pre­sen­ta­tion to bet­ter explain the work that I do and show, hope­ful­ly not too tech­ni­cal, but show how you can think about the way you go about your online life and the traces you leave online, and what this means for the work that you do, the peo­ple you inter­act with, and so on. This is a pre­sen­ta­tion that I gave a cou­ple of months ago to a bunch of jour­nal­ists. I don’t know if there’s any jour­nal­ists here, but if the pre­sen­ta­tion seems very journalist-specific that’s why. I think it will apply to if not all then some of you here, but it was espe­cial­ly geared towards journalists.

I work for an orga­ni­za­tion called Freedom of the Press Foundation. Before that I was with the Tor Project. The Tor Project is a non-profit that devel­ops a piece of soft­ware called Tor that essen­tial­ly allows you to be anony­mous online. It means that when you’re using Tor, the web sites that you’re vis­it­ing do not know that you’re the one vis­it­ing them, and your Internet Service Provider can­not see which web sites you’re vis­it­ing Your employ­er, your part­ner, any­one else using your com­put­er, can­not see which web sites you’re visiting. 

This soft­ware has been around for twelve years now. It’s been open source since 2002. About six months ago, I went to work for Freedom of the Press Foundation, which is anoth­er non-profit that specif­i­cal­ly helps jour­nal­ists do the very impor­tant work that they do every sin­gle day. This means help­ing them use dig­i­tal secu­ri­ty tools. Helping them under­stand the dif­fer­ent tools. Helping them under­stand the threats that they face online, as well as help them safe­ly receive doc­u­ments from anony­mous sources. So we have this sys­tem that we devel­oped called SecureDrop which allows the jour­nal­ists to use Tor, and allows the sources to also use Tor to safe­ly com­mu­ni­cate and exchange doc­u­ments in an anony­mous way. So if say, the NSA or some­one else want­ed to fig­ure out who’s the source, who’s the per­son that’s send­ing these doc­u­ments to one of these orga­ni­za­tions, they would just see that some­one is using Tor to do some­thing. They can’t nec­es­sar­i­ly say that this per­son is using Tor to upload these doc­u­ments to this news organization. 

In addi­tion to that, I have also spent some time cre­at­ing a list of jour­nal­ists that have been arrest­ed in Ferguson while cov­er­ing the protests there. So on the Freedom of the Press web site there is a blog post list­ing I think there’s twenty-four jour­nal­ists now that have been arrest­ed between mid-August and now. So there’s the full list, there’s a link to a news arti­cle about every sin­gle jour­nal­ist, and there’s also a records request for the arrest report, for the mug shots, and for a cou­ple of oth­er inter­est­ing bits and pieces.

In this pre­sen­ta­tion I cov­ered threat mod­el­ing, which essen­tial­ly just means fig­ur­ing out what it is that you need to pro­tect, and who you need to pro­tect it from. It is the case that we assess risks every sin­gle day. I can’t real­ly see you here but raise your hand if you check the weath­er before you leave your house in the morn­ing. Some of you do. And why is that? We check the weath­er because if it’s going to rain we might want to bring an umbrel­la, if it’s going to be real­ly cold we might want to bring a hat, and so on and so on and so on. 

Now, the sit­u­a­tions that we face are not always the same. It is the case that a protest by what might be a kinder­garten is not the same as a protest in Ferguson or in New York or Chicago or Oakland, as we have seen over the last cou­ple of months. We eval­u­ate risks by doing research. And in this case, this is from September/October I think?, the Washington Post cov­ered the protests and at one point issued this state­ment and said that fol­low­ing the lead of over news orga­ni­za­tions, The Post has decid­ed to out­fit its employ­ees with gas masks pur­chased at a chain hard­ware store.” 

So ini­tial­ly this was not gear that the jour­nal­ists had with them in Ferguson, but the Post made this risk assess­ment, it was a part of their threat mod­el now that that was some­thing that the jour­nal­ists needee and that they should have while cov­er­ing these protests. So again we re-evaluate the situations. 

This one I include because I thought it was a bit inter­est­ing. It’s a post on a Facebook page from an orga­ni­za­tion called Asymmetric Solutions based out of Ferguson, or based out of Missouri at least, St. Louis. They had tweet­ed a cou­ple of days pri­or that we have for the first time deployed a high threat team’ to Ferguson.” And a lot of peo­ple start­ed to won­der, was this some­thing that local law enforce­ment felt that they need­ed? Was it some­thing that pro­tes­tors felt that they need­ed? And so they issued this state­ment that said that they were recent­ly con­tact­ed by a pro­fes­sion­al jour­nal­ist that want­ed their help. 

Now, Asymmetric Solutions, they’re ex-military that pro­vide essen­tial­ly body­guards. So an inves­tiga­tive jour­nal­ist felt the need to hire a group of ex-military offi­cers to come with them to Ferguson to cov­er the protests. Someone had then eval­u­at­ed the sit­u­a­tion, re-evaluated after see­ing what was going on, and then hired this group to go in with them. 

This was a lot of Ferguson talk. A lot of protests, also very specif­i­cal­ly for jour­nal­ists. But it is the case that just as we eval­u­ate sit­u­a­tions offline, we need to do that online as well and think about the infor­ma­tion that we have, think about where we leave traces of the work that we do, who we share this infor­ma­tion with, how they pro­tect the infor­ma­tion that you share with them, and so on. And so there’s sort four ques­tions that I like to sug­gest that peo­ple think about when they start think­ing about their own threat model. 

The first one is What do you want to keep pri­vate?” It’s not the case that we talk about hid­ing any­thing. It’s about pro­tect­ing infor­ma­tion, pro­tect­ing sources in the case of jour­nal­ists, pro­tect­ing infor­ma­tion that oth­er peo­ple have shared with you. This can be a lot of dif­fer­ent things, it does­n’t have to be doc­u­ments that Edward Snowden shared with you. It can be pho­tos, it can be blog posts, it can be research, it can be dif­fer­ent types of projects. I think a good way to start think­ing about this is think about the infor­ma­tion that you have and the infor­ma­tion that you’ve worked with over the past week, past three days. And then think about how you would feel if all of this infor­ma­tion was pub­lished on a Tumblr tomor­row. That should give you a good idea where to start and what kind of infor­ma­tion you want to keep private.

The sec­ond one is Who wants to know?” For most of us the NSA is not nec­es­sar­i­ly our biggest threat. It could be some­one you work with, some­one you know, ex-partner, dis­grun­tled employ­ee. It can be a lot of dif­fer­ent peo­ple that will want to know the infor­ma­tion that you have. 

What can they do to find out?” They can steal it, they can hack your com­put­er, maybe they already have access to your email. There’s a lot of dif­fer­ent things that these peo­ple can do to find the infor­ma­tion that you have that they might want. And it’s also the case that you might not nec­es­sar­i­ly be the tar­get. Someone who is close to you could be the tar­get. There’s been sto­ries over the past year or so that show how hack­ers who have tar­get­ed jour­nal­ists specif­i­cal­ly have not nec­es­sar­i­ly gone after the jour­nal­ist that for exam­ple wrote the sto­ry that they did­n’t like. I think ear­li­er this year Forbes was hacked by the Syrian Electronic Army because the Syrian Electronic Army was a bit unhap­py with a cou­ple of arti­cles that had been writ­ten. Instead of going after the jour­nal­ists who wrote the sto­ries specif­i­cal­ly, the Syrian Electronic Army went after the social media edi­tor and man­aged to hack into this per­son­’s account and from there made their way into the Forbes plat­form and start­ed post­ing con­tent. So it’s not nec­es­sar­i­ly you that’s the tar­get but peo­ple who are close to you can also be the tar­get in these cases.

Then there’s the ques­tion of What hap­pens if they suc­ceed?” In some cas­es it can be an arti­cle is not pub­lished, a source is revealed. It can be your project nev­er hap­pens. A com­peti­tor launch­es a prod­uct before you do. There’s a lot of dif­fer­ent things that will hap­pen here. Another sto­ry from I think 2012, where a jour­nal­ist or doc­u­men­tary film­mak­er, I think, had gone to Iran to inter­view a bunch of activists about the work that they do there, and had phoned and had inter­viewed a lot of peo­ple and talked to a lot of peo­ple and got­ten more names of peo­ple that he should talk to. Then he was stopped on the bor­der going home and all of his tapes, all of his notes, every­thing was tak­en away from him. Suddenly every sin­gle per­son that he talked to was at risk because they were doing things that the gov­ern­ment did­n’t nec­es­sar­i­ly agree with. But that’s a very extreme exam­ple I think. It’s not nec­es­sar­i­ly the case that some­one might die because you don’t have a strong enough pass­word on your email account, for exam­ple. But for some peo­ple in some cas­es that should be a part of their threat model.

The solu­tion is to make a sim­ple plan. With that I mean think about what your threat mod­el looks like. What kind of infor­ma­tion do you have, how can you pro­tect it, how are you pro­tect­ing it right now, how many copies are there of this infor­ma­tion? Make a plan for how you are going to keep that infor­ma­tion safe. And keep it to your­self. It sort of is the case that if you come up with a great plan for secur­ing the infor­ma­tion that you have, you don’t nec­es­sar­i­ly have to go about and tell absolute­ly every­one about it. 

This Twitter account, if you haven’t heard about it before, it’s called Need A Debit Card? It’s fan­tas­tic. There are peo­ple that are so excit­ed to get a deb­it card that they tweet about it straight away. If you also look at the replies to some of these tweets you will see the per­son will tweet again and ask, Why do peo­ple keep ask­ing about the num­ber on the back of the card?” Some things are bet­ter kept to your­self. And I fig­ured I would leave you with that. 

If you have any spe­cif­ic ques­tions about dig­i­tal secu­ri­ty tools or any­thing like that, then I am around for the rest of the evening. Happy to take ques­tions about that, too. Thank you.