Category: information security

Book: Information security for journalists – V1.1

With journalist Silkie Carlo I have co-authored a ‘handbook’ on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook ‘Information Security for Journalists‘ was launched at the CIJ Summer School 2014 in London. The book will be forever freely available in a range of electronic formats – see download links below. In the four months after the initial publication in we have rewritten certain parts based on feedback from the initial readers and updated other parts to stay current with the latest software changes. Many thanks to all who gave us valuable feedback.

Altough this book was originally written for investigative journalists most of the described concepts and technical solutions are just as usable by lawyers or advisors protecting communications with their clients, doctors protecting medical privacy and of course politicians, activists or anyone else who engages powerful state and corporate organisations. Really, we’re all journalists now. Inside the book is a mailadres for getting in touch, please let us know how your are using it and what we can do better.

If you have reasons to suspect your online movements are already under some form of surveilance you should not download this book using a computer or netwpork associated with your identity (such as your home or work systems).

Several participants of journalist training programs have written articles: Information security for journalists: staying secure online by Alastair Reid (from journalism.co.uk) – A day with the surveillance expert by Jason Murdock, Offtherecord.inValentina Novak wrote this interview after a lecture & workshop in Slovenia last November.

On Tuesday July 8th 2014 I was once more a guest on Max Keiser’s programme ‘The Keiser Report‘ to discuss the book. Video here on my blog, here on RT site and here on Youtube.

From the ‘backflap’ of the book:

This handbook is a very important practical tool for journalists and it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.

Journalists were dismayed by the realisation that almost all digital communications are now being recorded; for them and their sources there are real risks and now danger in their work. This danger does not just worry reporters, whistleblowers and other sources, but all those who hear privileged information and whose privacy is considered fundamental to the courts, the practice of law, and justice in all of its meanings.  Lawyers and accountants and their clients are now without the protection of client confidentiality, and are vulnerable to the secret surveillance of an increasingly authoritarian and unaccountable state.

After knowing how Snowden’s disclosures were safely presented to the public, we know that there are real safeguards and counter measures available.  The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying.  It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share.  To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.

When planning work that must remain private and confidential it is important to carefully assess the level of threat that may be associated with it.   Shop floor maintenance, building site health and safety, restaurant hygiene, and hospital cleaning may be areas where the precautions and methods described here are unnecessary or might act to complicate and slow down your work. In these cases a phone call made or received away from work or home to a source or a reporter, may ensure sufficient protection at least in making an initial contact.

People working or reporting on national security, the military, intelligence, nuclear affairs, or at high levels of the state and in major corporations should probably consider this handbook as very important to their safety.

Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and other experts advising on the project have worked to ensure its practical accuracy and usability.  The authors expect that after six months, updates and some changes will be required.  Please return to download the latest edition. You will not want to download this on a machine or network identified with or close to your employer or your source or your home.

Gavin MacFadyen, Director of the Centre for Investigative Journalism

Download links for the book in PDF for printing on A4 format, ePub ebook for iPhone, iPad & Android devices, MOBI & AWZ3 for Kindle eReaders, LIT for older eReaders and FB2 for Samsung Bada and other Java eReaders. For easy management of ebook collections I strongly recomend the free and Free Software Calibre application. The 1-page instruction leaflet for starting Tails USB-drives here. The entire book is also available as a set of webpages for reading on your laptop as your set it up. Slides from the Summer School 2014 lectures on information security are here in PDF and PPT.

This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages.

CC BY-NC-SA

Creative Commons (CC BY-NC-SA 4.0). Licence for humans. Licence for lawyers.


RT.com interview on ‘secure’ smartphone apps

On Friday October 17th I was interviewed by Russia Today on the security of ‘secure’ smartphone apps that turn out to not be so secure. After 18 months of Snowden revelations that should be not news but for the Guardian newspaper it is.


Bankrupting the NSA with Tails & defeating TTIP

On Tuesday July 8th 2014 I was once more a guest on Max Keiser’s programme ‘The Keiser Report‘. Max is a former Wall Street trader who foresaw the current economic crisis a decade ago. On his show he lets rip on the insane financial system and allows his guests to do the same.

Max asked me about the handbook ‘Information Security for Journalists‘ I co-authored with journalist Silkie Carlo. The tools and methods it describes can help is slowing down the NSA by increasing the cost of surveiling individuals by a factor of about 1 million. We also discussed the latest US-inspired attempt-at-corporate-takeover-disquised-as-trade-agreement known as TTIP. I think this wil be defeated in the same way as its smaller precursors ACTA and SOPA before it because it is not in Europe’s interest. This will require some serious action on behalf of Europeans since our politicians seem a tad slow in recognising the patterns here.

Full Keiserreport episode here on RT site and here on Youtube.


Book: Information security for journalists

With journalist Silkie Carlo I have co-authored a ‘handbook’ on practical information security for journalists commissioned by the UK Centre for Investigative Journalism. The CIJ handbook ‘Information Security for Journalists‘ was launched at the CIJ Summer School 2014 last weekend in London. The book will be freely available in electronic format and in print after the summer. Just like last year I gave lectures (slides) and ran a hands-on workshop to get journalists ‘tooled-up‘ so they can better protect their sources, themselves and their stories in a post-Snowden world.

From the ‘backflap’ of the book:

This handbook is a very important practical tool for journalists. And it is of particular importance to investigative reporters. For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.

After Snowden’s disclosures we know that there are real safeguards and real counter measures available. The CIJ’s latest handbook, Information Security for Journalists, lays out the most effective means of keeping your work private and safe from spying. It explains how to write safely, how to think about security and how to safely receive, store and send information that a government or powerful corporation may be keen for you not to know, to have or to share. To ensure your privacy and the safety of your sources, Information Security for Journalists will help you to make your communications indecipherable, untraceable and anonymous.

Although this handbook is largely about how to use your computer, you don’t need to have a computer science degree to use it. Its authors, and the experts advising the project are ensuring its practical accuracy and usability, and work with the latest technology.

Gavin MacFadyen,
Director of the Centre for Investigative Journalism

This handbook is being translated into Arabic, Chinese, French, German, Portugese, Spanish, and other languages

On Tuesday July 8th 2014 I was once more a guest on Max Keiser’s programme ‘The Keiser Report‘ to discuss the book. Video here on my blog, here on RT site and here on Youtube.


Speaking at Dataharvest+ conference

I will be speaking and workshopping at the 2014 Dataharvest+ conference in Brussels. This conference brings together investigative journalists, (big)data wranglers, coders & hackers to kick journalism into the 21st century.

My contribution will be a series of presentations about applied information security for investigative journalists and hands-on workshops to get security tools working on laptops. So bring yours! Slides I used are here: PPT, PDF. Some tips and links to tools. A video from a comparable worshop last year, since then the situation has turned out to be much more dire.

Many thanks to the Centre For Investigative Journalism for making this possible. Happy to be working with them again!


Committee report electronic voting

From April 26th until December 18th 2013 I was a member of the expert committee on voting computers. This committe was instituted to advise the Dutch Minister for the Interior on the feasability of re-introducing electronic voting methods.

In the past (2008, 2012) I have always been very critical about the way electronic voting was implemented in The Netherlands up to 2007. The lack of transparancy of this method and the impossibility of recounts made this fundamentally incompatible with real democracy and,
after some convincing by citizens
, even the government agreed on this.

The commission recommends:

  • The use of electronic aids to make the voting and counting processes more reliable and more accessible;
  • To this end, account will be taken of the preconditions formulated by the commission;
  • The introduction of a single nationwide voting system, consisting of a voting printer so that the voter can print his or her ballot paper and a scanner to count the votes electronically; This system can be made suitable for all voters;
  • It should be clear in legislation that the paper process provides the guiding principle;
  • Should the voting method proposed by the commission not be implemented, in whatever event it recommends the introduction of electronic counting linked to the introduction of a smaller ballot paper.

More details in the English Summary of the report. For all the entire report, press coverage and interviews go to the Dutch version of this blogpost.


Keynote & interview Eurapco Insurance

<on 26-09-2013 I gave the keynote at the Eurapco congres where top EU insurance firms share expertise>

We live in a world of rapid technological change. Keynote speaker and IT expert Arjen Kamphuis discusses the implications for the insurance industry and its customers, and what measures can be taken to ensure the best possible customer experience. The objective was to raise awareness of the rapid pace of socio-technical development today and what fundamental effects this will have on the insurance industry. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.

Future shock – are we prepared for change? Some of the topics discussed in the keynote

  • What if tomorrow’s world looks really different? The basic rules of our business can change at incredible speed because of changes in technology, national/EU/ international policies, environmental threats and other external factors. New technology can overtake existing business models, and even make them irrelevant. The insurance industry faces the challenge of combining the need to be stable, secure and reliable with being dynamic, fast and responsive.
  • Cyber security needs to be taken care of, both within companies and between companies and their customers. Privacy issues are of great importance for insurance companies. For instance, it would be damaging for the image of a stable, secure and reliable insurance company if it were to be revealed that all customer data had been fully exposed by hackers or the NSA.
  • Today, all large service companies need to balance industrialised processes with the human touch. As a customer, you do not want to be exposed to the internal processes of your service provider. The customer just wants to receive service in an uncomplicated way. Changes in customer behaviour and expectations will have an impact on customer satisfaction with our companies’ claims handling.
  • Our companies’ brands face increasing danger in a fast-paced world of social media. Our customers rely more on the experience of others than on the promises of the companies. Through social media, good and especially bad experiences can be shared easily and quickly. We can join the conversation about our brand, but not control it.
  • A fast-changing world offers opportunities and threats for your business and your position in the market. Are you ready to adapt to changes in customer expectations? Is your organisation positioned to deal proactively with change, or could you be caught off guard? Do you have a plan for what to do if an improbable case scenario does occur? By carrying out regular scenario planning, you can at least have contingency plans for different case scenarios.
In your keynote speech, you mentioned that it’s very hard for anyone inside the insurance industry to see the world the way a customer, or other outsider, sees it. Can you, as an outsider, give us some tips about what is needed to achieve excellence from a customer’s perspective?

Insurance companies that are excellent from a customer’s perspective will still need to have operational excellence. This is necessary because efficient processes enable affordable premiums. The challenge is to make the operational excellence “invisible” for the customer, to treat the customer in such a way that he or she doesn’t notice the processes needed to deliver the service. Ideally, there’s a lean machine on the inside, while customers get the feeling they are receiving personally tailored service. This requires thought about where the “machine” part of the processes ends and the “human”, emphatic part begins. Not everything that can be done by software should be done by software. The telltale sign that the proportions are right is the customer enjoying a pleasant experience.

How can such a combination of operational excellence and customer intimacy be achieved?

Big data is an important tool to achieve this. Now, it really is possible to have an intimate relationship with the customer. However, this can only come about if several preconditions are fulfilled. Firstly, you must be highly compliant. Secondly, and most crucially, you should proactively contact pressure groups such as Bits of Freedom, EURM or the Chaos Computer Club. You can ask them to ask you difficult questions about how you handle privacy and protect the secrecy and integrity of the customer data that you use. You can also discuss the legitimacy of the goals you use the data for. The same must be done with customer focus groups. In the end, much of what can or cannot be done is dependent on individual preferences. You should enable and encourage an informed customer choice about when to supply what data. Don’t make assumptions about what customers prefer, but ask and validate. Fourthly, data should always be protected and encrypted to minimise the chance of anyone gaining illegal access. Finally, the hard- and software that you use should come from suppliers that are demonstrably not associated with any illicit eavesdropping, be it by corporate or government organisations. Insurance companies may struggle to put all of this into practice, not least because they have to deal with a lot of legacy hard- and software. This complexity is unavoidable, and you should be super-transparent about it.

The important thing here is that you “live” your data philosophy, not only in communication but also in visible behaviour. Be explicit about what level of assurance regarding data is possible today, and how that’s going to improve over the next few years. Have a credible road map for getting to the technical solutions that are needed. And again, get into contact with opinion leaders. Invite them to a dialogue to design a code of conduct, organise an employee training day on internal compliance together. It’s bound to be educational for all involved. If you act on your good intentions in this way, there are still going to be blow-ups because of data problems. But even then, a good relationship with opinion leaders will help enormously in containing the damage.

You also said American companies are at a disadvantage in terms of reassuring customers worried about privacy because of the nature of US privacy laws and the scandals surrounding the NSA. Does this also mean you see new business oppor­tunities for European insurance companies?

Sure. European insurance companies could provide “privacy-strong” ISP services, data centres or cloud space guaranteed to be compliant with Article 12 of the UN Charter. And what about a “safe Facebook”? What about a service that says to the customer: we will help you leave Facebook behind you? Moreover, providing high-privacy/ security online services to (European) customers is not only a business opportunity for the insurance sector, but also a great way to show leadership in socially responsible entrepreneurship. The privacy issue will only grow as more of the 78,000 plus documents from Snowden are released (so far we’ve seen only about 200, and the best is being saved for last). Insurance companies can work towards being the trusted parties by way of clear moral leadership on customer interaction and care of data. Such companies would surely also attract some of the most talented and motivated employees: everyone wants to work for companies that are seen to be leaders.

  • “He is a really inspiring person with a truly interesting vision for IT and the insurance business.”
  • “Thank you, Arjen! Your presentation was refreshingly blunt and, in my opinion, realistic. I think Eurapco showed courage inviting you to speak about things most of us want to ignore.”

‘Refreshingly blunt’, best compliment I’ve had in a long time 😉