Search Mailing List Archives
[liberationtech] Forbes recommends tools for journalists
frank at journalistsecurity.net
frank at journalistsecurity.net
Mon Dec 17 09:49:33 PST 2012
If anyone here has any thoughts about the tools recommended in this
Forbes piece, please speak up. The piece gets specific with
recommendations form Ashkan Soltani, a technologist who I do not think
is on this list, about half way down. Again, any thoughts would be
welcome. Thank you! Frank
TECH | 12/07/2012 @ 1:33PM |24,858 views
Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To
Get Your Source Arrested
You forgot to scrub the metadata, suckers.
Computer security millionaire John McAfee’s surreal flight from
Belizean law enforcement came to an end this week when he was detained
(and then hospitalized) in Guatemala, as has been widely reported. A
piece of the story that hasn’t been included in much of the reporting
is how authorities figured out that McAfee — who was wanted for
questioning in the shooting death of his neighbor — had fled Belize
for Guatemala. McAfee’s location was exposed after he agreed to let
two reporters from Vice Magazine tag along with him. Proud to finally be
in the thick of a story rife with vices — drugs, murder, prostitutes,
guns, vicious dogs, a fugitive millionaire and his inappropriately young
girlfriend — they proudly posted an iPhone photo to their blog of Vice
editor-in-chief Rocco Castoro standing with the source of the mayhem in
front of a jungly background, saying, “We are with John McAfee right
With that posting, they went from chroniclers of vices to inadvertent
narcs. They left the metadata in the photo, revealing McAfee’s exact
location, down to latitude and longitude. McAfee tried to claim he’d
manipulated the data — a claim that Vice photographer backed up on
Facebook in a posting he’s since deleted — but then capitulated,
hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan
authorities instead detained McAfee for entering the country illegally.
All of which was dutifully reported by the Vice reporters, with no
mention of their screw-up. Mat Honan at Wired excoriated Vice for its
role in events:
This was deeply stupid. People have been pointing out the dangers of
inadvertently leaving GPS tags in cellphone pictures for years and
years. Vice is the same publication that regularly drops in on
revolutions and all manner of criminals. They should have known better.
And they have the resources to do it better. Vice is a $100 million
Then, it followed up this egregiously stupid action with a far worse
one. Vice photographer Robert King apparently lied on his Facebook page
and Twitter in order to protect McAfee. Like McAfee, he claimed that the
geodata in the photo had been manipulated to conceal their true
But the coverup, as always, is worse than the crime. In claiming the
geodata had been manipulated when it had not, Vice was no longer just
documenting. Now it was actively aiding a fugitive wanted for
questioning in the murder investigation of his neighbor Gregory Faull,
who was shot dead at his own home.
Via How Trusting In Vice Led To John McAfee’s Downfall – Wired.
It was indeed deeply stupid. Journalists are professional dealers in
information but many are terrible about protecting it. While willing to
go to jail to protect their sources, journalists may wind up leaving
them exposed instead through poor data practices. In a New York Times
editorial last year, Chris Soghoian, now chief technologist at the ACLU,
warned that “secrets aren’t safe with journalists” explaining that
“ the safety of anonymous sources will depend not only on
journalists’ ethics, but on their computer skills.”
There are three very basic things journalists should be doing to shield
Scrubbing metadata from photos, documents and other files.
Resisting the desire to save copies of everything.
Technologist Ashkan Soltani walked me through some simple tools for
doing this. They’re not foolproof, but they’ll make it a little less
likely that your blog post will wind up sending the person you’re
profiling to jail (unless that’s your intent).
1. Scrubbing metadata.
“All files — photos, Word docs, PDFs — include some kind of
metadata: author, location created, device information,” says Soltani.
If you leave the metadata attached, you run the risk of exposing private
information about the person who gave you the file, or, in the case of
Vice, the location of the person trying to keep his location under
Before you share a Word doc with the world that a source sent you, run
it through a scrubber. Otherwise, it may reveal where the doc was
created, who authored it and anyone who has ever made changes to it.
There’s Doc Scrubber for Microsoft Word.
For PDF docs, use a tool like Metadata Assistant. Or use Adobe
Acrobat’s “Examine Document” tool which will scan the doc for
For photos, think about turning off geotagging on your phone or digital
camera so that the information doesn’t get included in the first
place. You’ll usually do that in your phone’s “Location
Settings.” Instructions here.
You can run your photos through a metadata scrubber. Or, if you don’t
care much about the resolution, you can just take a screenshot of the
photo and use that metadata-free version.
Some photo-hosting services do you the favor of scrubbing metadata.
Facebook, Twitter and Instagram all have this privacy-protective measure
2. Resisting the desire to save copies of everything.
We live in a time when it’s easy to save everything, meaning we’ve
all become digital hoarders. Why delete an email or chat when you can
just archive it? It could come in handy later. Or it could come back to
bite you later.
“Disable chat logs in whatever program you’re using, Gmail or
Skype,” says Soltani. In Gmail, that means switching chats to “off
the record.” In Skype, it means turning off the feature that
automatically saves your chats to anywhere you log in. (Added privacy
bonus: That could keep your boss from winding up getting his hands on a
sexy chat you had on your home computer.)
If you need to keep a record of a chat, save it as a Word file on your
own computer, and encrypt it.
“Don’t keep emails around for years and years,” says Soltani.
“Practice better data hygiene.”
Soltani says journalists and sources might consider setting up temporary
email accounts to communicate about a story, and then to delete the
accounts after the story’s complete. He compares it to using a burner
3. Encrypting your communications.
This may be the most labor intensive of the recommendations from
computer security professionals, but if it’s important that your
communications with someone not be compromised, it’s worth it. This
means your emails will appear as gibberish to anyone you don’t want
reading them. Had David Petraeus and Paula Broadwell encrypted their
emails to one another rather than saving them in a drafts folder, their
exposing themselves to each other wouldn’t have been exposed to the
world. “This allows you to communicate securely and protects your
messages if your account is compromised,” says Soltani.
For chat, consider using Adium’s OTR.
Use a Virtual Private Network or create your own SSL.
Take 30 minutes (more or less, depending on your savvy level) to set up
SMime or PGP for Gmail so that the emails you send from whichever
provider you use are encrypted. The only limitation here: you need to
get the person you’re communicating with to enable encryption as well.
Rather than calling someone from your landline or cell phone, use Skype
or Silent Circle.
A journalist’s job is to bring information to light. Using these
tools, you’ll retain some control over which information gets lit.
10 Incredibly Simple Things You Can Do To Protect Your Privacy
Password Protect Your Devices
Choosing not to password protect your devices is the digital equivalent
of leaving your home or car unlocked. If you're lucky, no one will take
advantage of the access. Or maybe the contents will be ravaged and your
favorite speakers and/or secrets stolen.
More information about the liberationtech