[liberationtech] Safer submission of content to news organizations
Jacob Appelbaum
jacob at appelbaum.net
Tue Jan 17 16:18:46 PST 2012
On 01/18/2012 03:39 AM, Martyn Williams wrote:
> Hi to all on this list. I've been following discussions here for a while
> but this is the first time I'm posting.
>
> I'm a Knight Journalism Fellow at Stanford this year, which means I have
> a year off from reporting to follow projects that interest me and help
> innovate in journalism in some way.
>
> One of my two projects is focused on the security of consumers who
> supply content (text, photo or video) to news organizations.
>
> I see a lot of work being done on how citizens/activists/bloggers and
> others can secure information on their end but I haven't seen much done
> on the other end by the news organizations. Sometimes they offer little
> more than an email address or Facebook page for submissions.
>
Surely you've seen the efforts (aka abysmal failures) by the WSJ and AJ?
> So my project asks: If news organizations are to solicit content from
> people on the ground (and there are no signs this will stop), what can
> they do to make it safer for those submitting the information?
>
HTTPS with ciphers keyed in a perfect forward secrecy mode, Tor hidden
service, no requirement for proprietary software (eg: flash, java or
other garbage) for use of the site, no need to submit anything other
than the document itself, etc.
An example of this kind of submission system (disclaimer, I'm involved)
is GlobaLeaks - The code is on github:
https://github.com/globaleaks/globaleaks
> Should they set up a dedicated server, rely on a cloud service, use a
> certain type of encryption, base it on a particular technology, etc etc?
>
They should run a dedicated server - they should not trust the cloud -
they should offer a Tor hidden service and a normal HTTPS interface that
has forward secrecy modes - this prevents issues with key disclosure at
a later date.
The submission system itself should probably be free software and
hopefully not invented in house without third party review.
> The goal isn't anonymity like Wikileaks - that brings a heap of
> editorial problems with it - but making it harder for tracking to link
> person A with news organization B. It should also be practical to implement.
>
What the? Talk about a slap in the face, eh?
If you don't have anonymity built in from the start, I already know it's
not worth trusting.
> It will ideally be based on open-source technologies that are freely
> available and can be implemented by news organizations of any size.
>
Free software for freedom, please:
https://www.gnu.org/philosophy/free-software-for-freedom.html
> If successful, I hope to present this to news organizations, push for
> its adoption, and raise awareness of the need for media groups to think
> about the safety of those sending content.
>
The people involved with GlobaLeaks are already doing this - consider
emailing our lists.
> I welcome comments off list. If anyone has heard of or is working on
> similar technology or has an interest in collaborating I'd love to hear
> from you.
On list is better - it allows everyone to benefit from the time invested
by all parties.
All the best,
Jacob
More information about the liberationtech
mailing list