 Thank you for the introduction This is embarrassing. I need to fix my screen Okay, that fixed. Yes. Okay computer scientists are excellent at technology. Okay, so This is a panel with so I'm the least renowned person on this stage So I'm gonna introduce our lovely panelists and then I'll explain what we're doing here So to my right is Julia Angwin who is an awesome Investigative journalist at ProPublica, which is a non-profit investigative journalism Organization she has written a book about surveillance called Dragonite Nation She used to be at the Wall Street Journal where she led a privacy investigative team. So she is awesome and super great to Next we have Jack Gillum who is an investigative reporter at the AP the Associative Press And he focuses on technology and surveillance and government accountability He spent the last year uncovering a US government plan to overthrow Cuba using fake social media So you may have heard about this story and to And I think our last panelist needs no introduction here But I'll do so anyway Laura Poitras is a documentary filmmaker a Pulitzer prize winner a poke award winner an Oscar nominee For a citizen for the film that will be showing right after this and my role here as it was explained I live in the ivory tower and I pontificate about cryptography. So that would be my role here is to be the ivory tower cryptographer So the the genesis of this panel was I for some reason was at a bar a few months ago with Julia and We sort of introduced ourselves and she's like I hate cryptographers And I was like why we're so harmless and I mean her explanation is basically that every time she talks to a Cryptographer they sound like this some long-winded story about Alice and Bob that has no relationship to reality and So and she started telling stories and I thought these stories were amazing and and also they sort of changed my idea of how sort of cryptography related to how journalists actually practice so We decided to organize something where we could have a conversation with the community about How cryptography and journalism interact and this is sort of you can think of this as QA testing for you guys that you have a bunch of Sort of QA testers who have done some things and they have some feedback for you and maybe we can have a conversation you can suggest some ideas for What they could be doing to secure themselves better and they can give you some ideas of problems that they have that are not being solved so That said okay Let's Let's do this All right, so if you are thinking about journalists from the perspective of a say cryptography Practitioner or like a security professional you think okay What is the task that a journalist is trying to accomplish? They they need to communicate confidentially with their sources confidentially meaning like some eavesdropper can't view the Conversation that they're having all right step number one Alice and Bob install some crypto software And I think the thing that we're trying to get out here is that you know Laura and and Glen had really an amazing source and Edward Snowden I mean just a hang in the moon goldmine of a source really great documents really uncovered a lot of Government you know malfeasance, but maybe this is boring sounding and covering the federal bureaucracy that is Washington But most of the time it's a guy named Bob Who's like five years away from retirement and just can't fucking take it anymore? And he wants to find a way to get you a document like you know a two-page PDF that he barely knows how to print on the local printer that he needs help from an assistant photocopying and it's that sort of You know op sec involved there because if he keeps printing out these documents He's the same Bob who logs in from his work computer and goes you hear that you've got mail because he still uses AOL 15 years later like those are the people that we deal with on a regular basis And and it's the little breadcrumbs that they they they they want to impart to you And so when you I guess what we're gonna start getting at is it when you then sit down and go, okay So you're gonna need to install GPG tools if he's Windows Cleopatra you're gonna need to do or revocation key Like the minute they heard install revocation key. They're like I know We're done. I mean and that's and that's happened before and and then they take the easy way out and that can lead to trouble I think Unfortunately, the easy way out is that they are unsafe, right? And so they so one of the challenges for journalists is that we are Trying to keep our sources from making mistakes that will then hurt them and also hurt us but more of them often and so You know all the time people send me things from their Gmail account at work on their work computer thinking somehow that was some secret Transmission and that their bosses will never find out and And it's just Unfortunate so the thing is what we're what we want to talk about is sort of how the bar is so much lower than you guys can maybe Understand in terms of like what we're dealing with and Edward Snowden obviously was like this perfect source who came fully encrypted I'm have yet to meet a source like that. I'm waiting So one of the things I remember hearing about is that often sources don't even realize that their sources So this is this is one of the things this first date problem that Nadia and I were talking about at the bar was that you know You meet somebody in the course of your reporting and you're like hey, let's get a drink and maybe you even met them through writing something very innocuous and Then you're in a bar and you're like so like what do you think about? setting up an encrypted channel and they're like what and It's a little bit like asking for sex on the first date You know, it's a little too much too soon So I was telling Nadia this and that actually was probably the genesis for this panel was that line So and I've done this right and I've tried to convince people and it They're like this is I don't even actually know what you're talking about Sometimes it's successful. You never know but But a lot of times it's It's really a psychological problem This person is thinking like they might help you because they want to make sure the story is correct Or they just sort of want to provide you one fact, but they don't want to be thought of in their own mind as a source I Mean, I'd like to just say a couple things sort of from the journalist perspective or sort of our kind of progression of actually how we learn these tools and so I went through a Period where so I made a film in in Iraq and then I was put on a Watchlist so I knew that I had to sort of be careful But I didn't really know what that meant and so the film that I made after that I made in Yemen and it was dealt and Yemen and in Guantanamo And I knew that like digital communication was not safe So I was like sort of danger zone and but I didn't know quite actually how to to respond to that or how to sort of Work around that and and I was trying to get access at that point I was trying to get access to get a film crew to Guantanamo into film and I had gone through like the official channels I'm gonna try the front door and then and I just never got anywhere I just sort of like delay delay delay And then my name was on all the requests and that wasn't going anywhere and then I was like all right I need to try the side door, you know, like how can I get to Guantanamo through the side door, which was you know created like this sort of You know efforts to kind of like sever metadata like to have the person like I hired somebody to sort of be the person who sent in the letters and they called from their cell phone and not never from my office and did these kind of things to kind of You know not have a direct, you know connection between me and these requests that were going in and for for that whole film I really kind of almost resorted to like an analog way of working like I I was Sending grant applications, but I would never send any over email I was like everyone got a hard copy and these kinds of things and it wasn't actually until Working on on this the film that I'm gonna show later that I actually learned some tools And it wasn't that easy to actually find out what were the correct tools because like you know You do a search and like a lot of things come back in terms of what is recommended So it actually took quite a long time where I was working kind of in the dark not knowing what tools I could trust to have anonymity and and Security and to do the work that that I was doing and then you know luckily I had some very good teachers So what does work? Say it again. Is there anything that does work anything that doesn't work does does it does work How do you mean like? I mean Jake Jake Applebaum and I are doing a Talk tomorrow and we'll talk about some things in terms of that work So there's one last problem that I remember discussing about the difficulties of installing crypto software Which is that if you were at a bar imagine you're at a bar. You pull out your phones. You're installing a software Right so one time I did manage to get someone convinced to do this on the first date at a bar and I thought that an encrypted Messaging app would probably be the easiest thing, you know a cell phone app. This is it was silent Text at the time and so I sat down with my source and I was like this is gonna be so much fun We're just just like fun, you know be like a fun way to just communicate and so So, you know It's one of those things where sort of it takes a long time to download and then you there's a lot of verification actually that how you have to do so There was a verification key that like we had to exchange with each other and for some unknown reason We just took an hour to do this and by the end of it We're both sort of like covered in sweat and exhausted in like it was a little like sex on the first date And you know the thing is that Silent circle we were using it was really the early days It had just come out because it wasn't that much crypto that I felt like I couldn't ask this person to try to use GPG so So we had these calls That it was like in the 70s, you know We're like I would talk and then there'd be like a five second delay and then she would reply and I realized, you know that it was too painful and we both kind of gave up using it after several months and so But we gave it a really good try and but it's just sitting at a bar trying to do this when you've had two glasses of wine is We probably weren't, you know at our best for these tools Okay, so once Alice and Bob have successfully installed some crypto software the next thing they do is exchange keys This is you know one of the great things and the greatest developments in cryptography ever public key cryptography Exchange keys it solves the key management problem and Unfortunately the reality of the key management problem today even still looks like this So so my family like including a relatively renamed nameless Likes to use, you know the different search engines out there that are installed on on our browser like Bing You know Jack if you have you Bing this day and I have no idea what she's saying When and these are the people who we are dealing with in Washington who like have this rudimentary understanding and have their kids Fix their iPhone or you know even younger people don't really understand this So when you you know say the words open up terminal or open up the command line in Windows Again, like we were saying earlier. I mean that's when they sort of freeze and and part of this isn't and maybe and Maybe some of that isn't correct me from wrong But in Windows, you know, which I have to use for my work Cleopatra you can't out of the GUI create a revocation key So at least that I haven't been able to find and so and that's obviously a very critical Part if your laptop gets stolen or compromised or whatever you need that revocation key and just even explaining it to very smart You know, almost tech savvy co-workers are like well Wait what it needs to hyphens with the out of the revoke and and it's it's just that that that complicated message You know for us, you know It's maybe not that hard to just fire up the terminal and type of command and bash and be done with it But it's it's that critical step that people tend to bypass I think we're going to talk about the shortcuts that people take to when these things get hard beyond what they're what they're used to And not to paint our industry that you know a lot of journalists or Dunderbuses or something But you know, we're set in our ways. I mean we we spend you know 10 20 30 years We know how to report a story how to turn the screws on people how to get the documents How to file the public records request and we're sort of been doing that chum You know chugging along for a long time and all of a sudden, you know And you know and particularly after the stone disclosures made us realize more than anything and after you know My colleagues at the AP to boot where their phone records were subpoenaed by the Justice Department I mean sometimes they really are out to get you and and you know, this is this is critically serious So it's it's I think trying to teach an old and young dog new tricks and it's very difficult. I think Also, I just want to confess I don't have a Revocation key. I'm sorry or a separate sub key. I've been meaning to But honestly, I find it kind of challenging I've taken me two Years three years of like really working at using GPG and I feel like I kind of have my little system duct taped together and so Lest you think less of me, which I'm sure you do I am probably the most tech-savvy journalist in every newsroom I've been in I grew up in Silicon Valley. I started programming in basic and fifth grade I do actually have some credentials, but I find this stuff incredibly challenging Just one question. How many people in this room understand everything that's on the screen right now Yes We need more sources like you I How many of you guys understand everything that's on the screen right now I I'm the guy I went to the the the Linux users groups parties growing up and had no friends So I understand this a little bit, but I loved it. I wouldn't change it for the world I think I understand it That doesn't mean I succeed Okay, so once Alice and Bob have exchanged public keys, they need to verify the authenticity of these keys So they Alice and Bob need to verify fingerprints Laura you should tell us like the best case scenario right? Yeah I don't know how many people Michael Lee who works with me at the intercept wrote a lengthy piece about how he helped my initial contact with with Snowden and What had happened was Snowden had tried for a while to get Glenn on encryption that didn't work and then actually the way that Snowden found me is he emailed the freedom of the press Foundation which is organization that I'm on the board of and Trying to get in touch with me and get my key and I think also wanting to somewhat verify that the key that he got was Was correct and so then Michael sent me an email and encrypted email and said hey some guy or some person who didn't know the gender wants to get in touch with you can I give your key and I said sure and then He then emailed and we did a first exchange his first email to me was to my true name account. It was a Gmail maybe I don't think I said that before but it was and And He then actually but that email has already been published his email that he sent it to so then so then he said something that was like certainly got my attention and which I think was in that He was in the government and that he wanted to share information and that no matter what happened to him The information should make its way to the American public and so that certainly got my attention So then he asked me to create a new Account an anonymous account and to contact him He sent me a fresh As he sent he contacted me at a new email address with a fresh key asked for one And then he asked me to to figure out a way to To verify it and he gave me some options and one of them was to have someone tweet it And so he he actually recommended that Micah tweet the fingerprint So then I emailed the fingerprint to Micah and I said said hey You know, I didn't say too much about the you know the first email I just said, you know, would you mind just you know putting this in your Twitter account and and he did and So that was how Snowden was able to verify My fingerprint and that was you know a couple Probably a week or two weeks after we started corresponding and then we were sort of on an anonymous, you know both in my communications were Were severed from my true name, but I was still using the same computer And then the next email that I got after that one was the sort of holy shit email Which is when I realized that I really need to create sort of a real Blockade between anything that was tied to my true identity and these communications and that's when That I that I's moved over to tails to the tails operating system. So thank you if there any tails developers in the room. Thank you I could continue on a little bit in the story and then we can come back. So So then I so he actually snowed in that said, you know, for most security you should use tails and I Known of it, but I wasn't using it at that time And so but I did have a bit of a dilemma with it because I didn't really have confidence of how to verify this the download the certificate and And actually was back in Berlin and I was a friend of a friend one one of the friends in the room in the room gave me Then another name of another person whose last name I actually never knew Who set up a tails? disc for me on a computer, which was a computer that I purchased with cash In New York, so it was there was nothing tied to my name in the correspondence From then on so that's like above and beyond levels of verification and trust verification And then they can I guess I'm gonna play the part of like the complete hapless one here But I did the I thought one of my sources. I thought Key verification in terms of numbers would be too hard. So we tried to do the shared secret on OTR I managed to get this person on OTR and and I Thought that it would be really easy if we we didn't set up a shared secret in advance I just thought we would be able to come up with one. So I said when do we first meet and then Or where where did we first meet what location and the person answered wrong? And then that person answered asked me a question of where we first met and I answered it wrong So we didn't know idea where we had first met So that didn't work How many people in this room have had that problem I feel better All right, so now we've successfully verified the authenticity of our keys in our software Step number four in a confidential communication is Alice and Bob actually initiate confidential communication with each other And why this entire talk is is illustrated with X KCD slides And and even even at the AP depending on which version of software you install It either does inline PGP it attaches it as an attachment or and you can't read them And there's UTF to ASCII character conversions And that's just among four people I work with and that's you know, I it's it's you know yet another headache I think we're not bagging on this entire I mean there are there I mean this the story the Cuba story that that Nadia was mentioning We use PGP extensively when we did work in countries that shall we say? Aren't really very favorable toward the press. We used other tools, which I'm sure lawyers and talk about in the future A communication secure voice communication tools like whisper systems the signal we use that Quite a bit and it worked very well Another sort of tool so so don't take away the impression that this is all garbage and we're throwing up our hands. It just it's Your mileage may vary. I Mean, I guess I could just bring in like yet another sad story. So One time I was really proud because I was really getting like a good PGP communication going with somebody and then all of a sudden we started dropping plain text and Basically, it turned out that one of us had it set only to accept Okay, I'm gonna get the technology wrong s-mime and PGP and one of us was not accepting p. S. Mime and so so the whole thing fell apart and Once again, I just felt like every time I think I've climbed like some way up the mountain. It turns out I'm really just at base camp I Will confess that I have dropped plain text with people on this stage And let's see so, okay I guess let's see we can we can talk about once once once we've moved on from Confidentiality we've talked about this a little bit already of another property that journalists need with Sources is anonymous communication Laura was talking about anonymous unlinkable communication So what this looks like is say the the simplest case Even not using so much cryptography is if you want an unlinkable thing. This is what Laura just did she purchased a device with cash and Then installs software on it. So Alice our journalist might purchase a burner phone with cash Maybe install some encrypted Communication applications on it install all the contacts so that they've been verified by her And then say mail Bob his special burner phone and then Bob can use his burner phone to securely communicate with Alice This is this is straightforward. This is taking all of the Responsibility for installation and verification away from Bob our hapless source So how does this work in practice? Yeah, so Colleagues am I and actually think that this is a true burner phone. I It's it's not it's tied particularly when they do on their phone They tie it to their Apple ID and then make what they think are anonymous phone calls This was sort of a by accident not he put the slide in because the one use the burner act as an aside burner Had was it's an obvious as an app where you can select an area code and for a certain amount of credits Create a phone number that you know masks arrayed math masquerades from that that area code Well, not masquerades and they can call call you back on it And I remember once dealing with a former Washington official We got a document how he's got some big payout from an organization and he wouldn't obviously pick up my 202 That's a Washington DC area code phone number Wouldn't pick up a block number wouldn't do it So I figured out where he lived in a rural in his rural state where he retired to and I got that that area code And called him up and he called me in it he answered in a tizzy because he thought I swear to God He thought it was the plumber who was running late to come fix it because he probably like picked up the phone near the Okay, and he's like I'm just got done with the work out or are you still coming over at 10? I'm like Mr. So it's so it's great. I got you on the phone We're preparing a story in an hour that says you did X Y and C and and like that's I think the only time that I mean This is not an you know do not use this for anonymous communications I mean it's to basically I mean in my my experience. It's to you know Hit him with that the area could that they think is is friendly fire or is it is a friendly number when it's not? So one time I bought a burner and did the sort of Alice and Bob thing You just laid out and I sent it in the mail to my source and executive at a company who is Trying to share all sorts of damning information about his company and we met in a cafe I said I'm going to be sending you a phone and he agreed This was not a first date problem. We've you know been talking for years. So he was willing to set up this encrypted channel and And then I would call I would tax nothing no response No response to finally I had to call we like what are you doing at the burner phone? He's oh, I never bring it anywhere with me. It just leave it at home The never you know just like it didn't have enough room in his pockets, right? One phone and so you know once again, I was like I would end up calling To tell him to go pick up the burner phone and so that was a pointless And the burner thing is difficult to I mean you know particularly You know that in at least in the states I mean the stereotype you know it's like you're you must be a drug dealer if you're getting a burner phone with Cash and and you you really look like the I mean, I'm a journalist by training. I don't care You know I look like an odd duck for a living and that's fine. I'm fine being the weird guy But like when you're there, they you know the AT&T store whatever you're topping up your SIM card And you're like the guy pulling out wads of cash And you don't really want to give your driver's license because you don't really have to and you're given a name that the guy Knows is not your real name and you're doing this weird dance and just like it's just like it's like a terrible Christmas dinner Just like I just want to go home Just give me the thing and go and and you got to do that to fill it up and it's yeah so basically we need to normalize The burner phone or something. Do any of you use tour? Yeah, oh, yeah all the time I Guess we heard Laura's success story with tails. I Mean I don't think any of us could do our work without tour I mean really I mean I think we use it every day and and even for for people Who don't understand, you know DNS all I do is I don't know why I use this website You got it I put him down I go, you know particularly since that the AP has their own net block and you know you reverse look up that address It says the Associated Press, you know, you know, whatever 33rd Street, New York, New York And you know you you go to IP chicken dot com or whatever I'm like look, you know Somebody who's monitoring a government email. You're a government web server You know, you're immediately tipping them off that you're hitting them I mean there's many uses for tour besides that but just the little things that always seems to like They're grasping like oh, they really know it's me. I'm like, yeah, they they know it's you. I mean Actually tails is like the my favorite sort of Success story so with fellow journalists actually who don't who find all this other encryption Difficult I find that actually showing tails is easier because it's sort of this controlled environment So I've had some success getting some colleagues to use tails because it's sort of simple The idea is a little bit simpler the idea that you just have this separate machine that you just do this and it's sort of all the box is built as a default to make you kind of make the right choices and so It's one it's probably my favorite tool I think that segues into sort of the last journalist task, which is keeping notes and data And of course from the perspective of the hapless cryptographer. This is easy Alice wants to keep some notes She encrypts the data to her private key. Nobody but her can decrypt it so Then of course situation number one collaboration with fellow journalists I mean there there time I'm just thinking of an recent memory when we've had I mean the AP is a global news organization we people all over the world and and you know You know, sometimes we need to see you know communicate securely and Like I was talking about earlier and again, this isn't you know, this is no It's not malicious that people do this But they you know, they're just so used to picking up the phone using you know, plain old telephone service and just dialing You know 011 the number what have you? and I just remember, you know Coming close once to being on a call where people were calling in from Shall I say hostile countries toward journalists and their sources and we were all calling in using these unsecured lines And then we all sort of realized like what we were doing and it was you know, it's like, you know We all sort of realized, you know, oops, we left the back door open. I think the cat just got out and it's too late But not quite because we didn't really we're about to you know We're gonna say so confidential source X lives on whatever street in Venezuela, you know We didn't get to that point, but you know even even when we're sort of used to it You know after Snowden to sort of showed us that and in the AP sub subpoenas that you know People really want your data. They will get access to it and this is you know, no laughing matter. I mean and Even you know people who do it all the time sometimes forget about it just by force of habit and I think that's you know a problem I obviously we need to correct ourselves internally But it's one of these things actually is sort of like the mindset in journalists newsrooms is sort of is outdated so the sort of rule of thumb in a Newsroom most newsrooms would be if you're filing a story Based on a confidential source your editor and oftentimes the editors up the chain Need to know the identity of that source and that's a general practice and the problem is your editor may be in another country and so You know in at the Wall Street Journal where I worked for 14 years You know sometimes like it just wasn't possible for the journalist to convey to the management in New York Who the source was in a secure way and sometimes before a story would run that journalist would actually fly To New York to talk to the editors and say this is the real story You should publish it and of course that delays publication and is very expensive and so there it's It's just a challenge within the structure of newsrooms Yeah, I mean I certainly experienced This these kinds of problems working on on this story before Right before going to Hong Kong The Washington Post got very nervous and there were a bunch of lawyers that were making phone calls They were all in the clear and they were sending emails about what was going on And I mean I really freaked out because it seemed to them and this was the most risky time to be having these kind of communications over anything electronic Let me actually I want to say something about the sort of collecting of Notes because as a filmmaker. I mean what I do is I actually usually you know filming And so I mean one of the things that I would love if somebody could someday develop is if you can record Videos to an encrypted Media and so you don't have unencrypted media on you because that's pretty risky depending on what situation if you happen to be For instance filming a protest and you're not able to you know pull out an SD card in time when I was in Hong Kong, I was I Was concerned that we'd be rated and so every day I was backing up the media and putting it on to Encrypted drives, but then I was had to physically like destroy the SD cards because I didn't want You know the raw footage to ever fall on anyone else's hands and and it's it happens a lot when you have people who are working in you know whatever In protests in Egypt for instance if if they get your camera They can get potentially get a lot of information if you can't get your media out in time and do something with it So I think We're we're almost done here. So with the slides so start preparing your questions and your answers to all of us I think Well what Laura's story just Segoed into the legal coercion problem that one of the big threats that journalists face is Coercion from governments either forceful or legal or any other way Does our AP representative want to talk about the problems of that the AP has faced? Yeah, I mean just Generally speaking I mean I think I mean it's it's not I mean it is a little bit of a hostile time and maybe that's understating it I mean for journalists, I mean and I apologize I come from a very American centric point of view because of Washington journalists But I mean this is it's sort of conversely the most transparent administration and global history But you know we were talking about MC catchers the other you know an earlier panel and you know This is the same meanwhile government that turns around and tells you know We my colleague and I found out that tells local law enforcement They can't even release details about what the local police do and you know, it's very secretive about you know Getting like when they got our phone records, you know, they're this it's you know people even coming down to sources and sort of like the bottom line here where you know why this matters so much is It's not the segways into it's not just you know about the intelligence community here It's not about you know, you know an NSA contractor in Hawaii who you know dumps all the you know top-seeker classified documents as important as it is I mean these are people who work in in state houses and in companies I mean as as Julie was saying you know like a company that's crooked and and you know people lose their jobs for this I mean they lose their mortgages. They can't pay their bills. They can't feed their families I mean these are very real effects of talking to the press just talking to us and And I think we owe it to sources to do a better job at this I mean we have the tools at our disposal and with the help of the crypto community I think we can you know Really do it right and make this better so we can have better journalism and old people accountable It's so cliche to say but that's the reason why we do what we do And you know, we can't just you know go back to a plain-text world when encryption is you know clearly the next forefront so I just want to add one thing which is that I I Think that newsrooms. I I know that journalism is also under financial pressure But I believe we have a moral obligation to invest more in these types of tools, right? It's heartbreaking to me whenever I learn how few people support The tools that I use every day and how underfunded they are and I personally tried to donate But I don't have and I'm a journalist, right? I'm not gonna be able to pull this by myself And but I think our newsrooms would be well served to see these tools as as Central to our work and to invest in them. All right last slide before questions The last issue that a lot of you run into is crossing international borders Okay, wow Yeah, I mean it's it's it's no man's land. I mean in terms of legal I mean you have no protection and they and they They use it. I mean the US government when I say they and You know in my case, you know, it's over six years detained every time I returned to the country and you know they photocopied notebooks and Threatened to take electronics many times they would stack them in a pile and you know I would say that I was a journalist and we would have long fights and they would say things like well You know, this would go much faster for you if you just give us your passwords and I'd say you know That's not happening and then they'd say well if you don't answer our questions We'll find our answers on your electronics, you know, that was one of my favorite quotes I mean ultimately I moved to Berlin because of this problem because Because the project I was working on I couldn't I didn't feel that I could protect the source material I had and cross the US border and so I started I was shooting and Filming and then I would you know leave footage outside of the country back it up and then return home And did that for a while and then once I needed to start editing Then I came to Berlin and and started working there, so it really was it you know created a huge problem for For me to be able to do the work in the US I think there's a question that we don't know how to answer is it safer to bring data across a border with your person or to send it electronically Maybe the answer is just no I Mean I think I think to a trusted You know second-party would be probably the safest there are no more stories that our other panelists want to tell well, I mean I haven't Obviously left the country I still live in New York, but I have for the past several years After one source called me and said look I know you're about to go on your annual Trip to India I go every year to visit my husband's family and India at Christmas time and this person said I just can't have your My name in your contact list if you're going to bring your phone across the border and at that moment I realized Oh my god, I can't I can't bring anybody's name across in my contact list So I realized I had to leave my phone Behind and I have continued to leave my phone behind on every international trip and and also my computer I have a what I call a zero data policy Crossing borders which by the way means I don't have anything, right? So it's really inconvenient to come with no data. It means that I get less work done I'm less productive. I bring a a tails machine and then I have a some documents. I might want to work on on a stick but It's not a great and convenient way to do reporting and my editors despite You know supporting me are really annoyed when I don't reply to their emails All right, so I guess with that we'll open up for questions and answers from all of you So before we start the questions first of all, if anybody is leaving right now Please do so very quietly take your trash with you and also it would be nice if you would not let any martyr bottles fall over thank you for the demonstration and Also, if you have free seats now, then please already try to Defragment a bit like move inwards in your respective rows and make room on the sides We will not leave and let anybody inside this room yet before The next section but basically the film is going to start So during the Q&A, please try to be a bit quieter than right now a bit quiet Okay so then Hi Let's start with microphone one so if you're so much in the focus of agencies and so on like Laura What do you do about end point security? Let's say you do everything correct with encryption But now you have this air gap device laying in your home And like do you always carry it with you or do you sleep with it under your pillow? Or how do you make sure that it doesn't get bugged? I would never answer that question. Okay, so I mean would you have any advice for people who want to Who have that problem like I mean what? How would they find out what they should do? I mean obviously it's a question of threat model, right? You know and I Mean, you know there. I mean, I don't know if Sarah Harrison is here I know she's giving a talk, but she's off she carries a lot of computers with her I mean that's sometimes what we do there are times when you carry a lot of computers with you and and I think that There are times, you know where it depends where that might be more necessary than others Depending on what you're working on and or the political context in which you're working So, I mean obviously I mean what people will say is that if you you know, do you never lose possession of it? It would be you know the the sort of you know absolute secure recommendation Thank you microphone to please. Hello. I was left with the impression that burner phones are viable option for informants I would dispute that view the problem the problem I see with burner phones is that in The data mining is very easy to identify a burner phone because like let's say if we have a burner from their two cases You travel with a burner phone then you quickly identify a burner phone is a burner phone because a movement pattern is very similar or identical you see like the same base stations so you can identify not only that You can identify which person has a burner phone and because you know the identity of that person You can identify that it's that person's burner phone and even for the stationary case where we for example leave the burner phone at home The burner phone has a very distinct communication pattern because you essentially just communicate to one person which is extremely unusual So together with the location in you know for example, okay The person is living let's say in the radios of a kilometer or something But you have these special phones that only talk to one person So I don't think there is a good scenario for burner phones that should be avoided I would just say that um on burner phones that it depends on your threat model right for a state actor Who can see the whole cell network? You're completely right. I wouldn't recommend burner phones But I was using a burner phone in this particular instance for a corporate source, right? And I don't think his company was going to be able to get the cell companies to give up that information I wanted him just to not use his corporate paid cell phone, which is what he previously was using to talk to me Right, so it depends on your threat model for some people a burner could be fine Thank you, so let's get a question from the internet Can you give the can you activate the microphone? Okay now it's activated. Hello Well, there are a thousand questions on the IRC channel and I hope I can at least relay a few of them Well, a lot of them are going about training for journalists like are there any Journalism schools or universities that are teaching crypto as an obligatory Yeah, basic skill or What can a technical journalist journalist do to learn more of their fellow students into some crypto parties and also Yeah, how many days or weeks or years do it does a journalist in your experience need To really also get the point of encryption or secure communication to be also comfortable with it So this is all about this huge field I knew journalism schools up to five years ago that like their prime Technological feet besides doing beat what was we would call beat reporting was teaching people how to use Adobe Flash and like that tick the box with like the technology that needed to be a learn and And again, maybe it's an old dog and new tricks thing of people who in in the business and they're like this crypto thing I mean those include journalism professors to never had to use is never had to face this reality I Know Columbia University has a computational journalism track. I know there's been discovered I'm not the expert on this maybe somebody else is I know that this has been at least a discussion in like the American journalism Education community about you know, it's not just the crypto to its you know digital public records requests and analyzing You know big data, you know how to parse through it All these sorts of things that you know that go beyond the you know notebook assisted reporting of days of your you know And and I I'm sure that's a discussion somewhere. I would have so I'm working with the Columbia Journalism school right now actually I'm writing a chapter for their one of the book that's coming out on what types of techniques journalists can use and they are beefing up their crypto programs, but it's not mandatory and The truth is that there's a lot of confusion out there about what are the best crypto tools and there's One thing that's upsetting to me is that there are you know every day I get an email from a new crypto program and some of them are not really as Encrypted as they seem and so I think there's a lot of confusion in the regular public about what they should use Which is why and do you guys probably already know all know all this but essentially I did a Thinking with EFF of crypto tools on seven criteria just to provide some sort of benchmark of what people might think might consider actually safe Thank you. So microphone three please. Hello. Thank you very much for your talk I want to raise a question about a power structure that was not part of the discussion so far I once gave a crypto party at a big Dutch news cooperation for the Dutch people in the room called the NOS and The journalists were super enthusiastic They want to get started right away and I said, okay, let's get started with installing tour And I said we are not allowed to do that on our machines But luckily there were some tech people of the NOS in the room and and we looked at them Like can you help them out? Can you give them permission and said we could but we're not allowed because it's not part of our budget To install this and everything's actually closed down and if we change anything it will all fall together And they looked kind of panicked and then it turned out that management had to come in But they were nowhere to be found and that seemed and maybe you can relate to that in a lot of news cooperation There's this management layer that in the end needs to be like part of this whole transition into like secure communication Yeah that's a really really really great question because Having worked for American news companies where they are cut to the bone That is a very real concern. I mean you have almost two parts I would say or two sort of issues one is the money issue You know because you know from an IT I mean, you know from a newsroom point of view we're like well, it's a great source Let's do it. You know pay any cost bury any burden. We're gonna do it But then they're like no we only have X amount for fiscal year whatever and by the way our exchange mail servers are Basically smoking you can see one smoking. That's where the money has to go right now. The other one is to Yeah, exactly and that's the counter argument to that is it doesn't and it's not what they're used to they're not used to doing this And so at least that the success that we've had or I've had in some news organizations others have either as well is sort of the Now a general professor Matt wait used to be a reporter in Florida has this thing called demos not memos like do this Organic from the bottom up and sort of show how it works do a test case, you know use free software use tour You know use the tour browser and the IP chicken thing that I was taught whatever you want to use and then people sort of have these little epiphanies like Okay, that makes sense and then that you know and it's I've seen it happen even very recently It starts bubbling up to the top, you know combined with the other news just in general about how you know the government is basically looking over our shoulder and You know ideally that starts to collide and you know the selling point for them is like tour It's or tails. It's free, you know a cost of a DVD I'll I'll I'll give you ten on the house just download it, you know And I think it's that it just it's a different mindset that they're not used to just like reporters aren't used to it Yeah, but also I mean there's a problem with it departments in newsrooms being total control freaks and not letting anyone touch any Machines and that's that's not about cost or or you know not understanding how it works They're just you know not don't want anyone touching any machine And they want to keep you know access to every machine that goes out of a newsroom and that just needs to stop I mean, I think I was at democracy now and and and Jake was trying to install OTR and someone's you know, he said oh you should have OTR so we can talk and he started to install it and Like an IT a freaked out IT person came into the rooms like what are you doing to this computer? So they were they were actually on they were able to know that that was happening a that's sort of fucked up And and be why would you ever stop that and and it's funny because then people do the workarounds, right? Like I was in a news organization once where I I couldn't it was locked down administratively I couldn't install anything. So I just brought in my home might my Whatever a power book whatever was the time and I installed it and they were so concerned about security security Security, but then I just took the ethernet cable and just bam right into the wall and got right under the network I'm like, okay. So like on one end. We're concerned about security here, but I'm here. I can it's no problem. Okay Thank you another question from the internet, please. Yeah, as I just touched the journalists I now go to developers as the target group so What tools would you need or would other? journalists need that open source developers can develop and Make better and like what features are really most important to you to help You make your job. I think that Actually investment in GPG itself would be great because I love the fact of the public key infrastructure the fact that you and your source don't have to Don't have to know each other right because if you if somebody reaches out to you the way that Snowden reached out to Laura He there was a way even though it's clunky It seems to me that that method of sort of overcoming that first date problem of Finding somebody and verifying them in a public way is still sort of our best hope Those are the sources that we want to attract To us is somebody who just thinks they might want to share something and if we could make that easier I would be really in favor of that. That's I still use GPG much more than I use any other tool despite my constant Frustrations with it. Yeah, I mean I would just echo again what Julia said earlier about tails and what next what a great Device that is for us to do the work because what I found when I started doing the reporting then it wasn't just me Who needed it but then you have a circle of people who you're also reporting with that you have to bring up to speed and You could actually you know, I ended up making a lot of tails disks and circulating them to people So that I had people in my circle that I needed to talk to and that was became you know, relatively large and to have a tool that actually is Sending things by default with encryption that that you can just say here's a computer. This is how you find me Was the most valuable tool for doing this reporting. Thank you So microphone for please Good, so I just wanted to make a couple of comments positive comments about the use of burner phones Ideally Both parties will have a burner phone that was bought in cash From a brand where you don't have to show ID and you don't have to deal with a human In the US these are track phones usually where you just go into a Convenience store or something like that. You buy something in cash. You buy some, you know minutes that you add on to there And that's that okay So ideally as the the first comment actually pointed out is that if you're carrying these around all the time The social graphing becomes very easy because you know Julia's social graph You know call she's making where she's at which cell tower she's hitting will match up Identically with her burner phone and that's absolutely not what you want Ideally you would want to have a set time where you have your battery into the phone And all of the times it's off on both ends So if you say, you know Saturday from 7 to 9 every week, please put your battery in the phone If I don't call okay if I do call okay, and all of the times just keep it unplugged And that's a really good way to ensure that you know, hopefully you're both making calls outside of the house So maybe it's even slightly less Trackable but also if you're in a big city like New York, it doesn't necessarily matter This is also what drug dealers do you might recognize this method from there I'm super excited to meet the source who's gonna comply with those directions Please put your battery in this phone from 7 to 9 on Saturday. I'm sure that person is out there All right another question from the internet, please. Yeah following up on this like what should it source do? What is the most sensible way to contact a journalist and what in your experience are the typical and maybe most fatal? mistakes they make That's a great question You know It depends on how Secure you want to be It's very difficult to make first contact without using you know the journalist's existing email address So you are gonna have some Or some known way to reach them. I actually advise people to use the postal mail No return address and I read my mail. I get it I get a lot of mail most of it isn't interesting But some of it's really interesting and then you can put a disposable email address in there or a phone number And I will reach out. I think it's an underestimated tool Yeah, and you get you get I mean I get letters all the time from not all the time But from people who do want to make that first contact if I haven't already met them at a previous social occasion I mean again This is very specific to Washington because everybody talks to everyone But I mean then they will send me a note and you know ask me in touch with them, I guess We have time for two quick questions. So first microphone one, please Regarding the request for encrypted video the magic lantern project, which is a open source Firmware for the Canon SLR cameras already supports RSA encrypting of the still images, but not yet the video But if you reach out to us, we'd be happy to talk about whether or not that's a possibility. That's fantastic. Thank you Okay, that was more of a comment than a question, but thank you. So microphone three last question, please yes, you mentioned the question problem and Thank you so what would you think of systems which basically allow you to Set up a passphrase and encryption passwords, which Basically a fake one which would make your data definitely unusable If you ever use it Is it actually a good solution for the question issue? You mean that would destroy your data like if you get handover or this password it would destroy everything Is that what you're saying? Yeah In the context of the UK that you know would probably be something that Because I think they can hold you if you don't if you don't comply with that it depends on the context But I think that would I think be very valuable. I Don't know If it's been done Would you guys use such a thing? I would love to have such a thing. I think it's fun to have the idea of the escape handle Stop the train right because then also I would sort of feel maybe better about bringing my Devices over the border if I could feel very confident that I could destroy it at a moment's notice Was it Hillary Clinton advocating for like a kill switch? No way. What was there? There was a kill switch idea But that was something else never mind I'm pretty sure if you've already had a legal demand that would be risk of contempt of court to use such a thing Okay, then we're finished. Thank you very much. Give them again a warm applause