Blog   |   Internet, USA

Google+ for journalists at risk

A Google developers conference in May. (Reuters/Beck Diefenbach)

When they're creating new features, software designers talk in terms of "use cases." A use case describes steps that future customers might perform with a website. "Starting a group with friends," would be a use case for Facebook. "Buying a book" would be case for Amazon's designers. 

When CPJ talks to Internet companies, we highlight the use cases of journalists who work in dangerous or authoritarian environments. It might be "defending against an attacker who has control of the infrastructure and wants my password." Or, it could be "breaking a controversial story to thousands of readers, which may prompt government supporters to overwhelm the online complaint system." Or, "surviving a series of denial-of-service attacks aimed at censoring my post."

These are not the first scenarios a start-up might envision for their college-friend-sharing site or >text-message-your-friends service. Nonetheless, they're vital to consider. Whether it's Google in China, Twitter in Iran, or Facebook in Egypt, if your social site becomes an essential part of people's lives, it will be used in life-or-death situations. Young but ambitious companies can anticipate and prepare for that.

And if reporters are an edge case, their experiences also shed light on the needs of other groups. For instance, journalists working on sensitive topics talk to a lot of people, often over e-mail. It's vitally important that those contacts aren't revealed to the wrong people, or that information isn't leaked about those conversations. Ex-partners of abusive spouses have a similar need, as they made very clear when Google Buzz abruptly broke that expectation of privacy. If Buzz had "reporters under threat" as a use case, perhaps they might have spotted the other problem earlier.

Shaking out such unintended consequences is, I suspect, one of the reasons the company's new set of social projects, Google+, started with a smaller audience than Buzz. It's a complicated new product, and mapping all of those consequences will only slowly emerge through use. But having played with the service for a few hours, I can offer some tentative analysis of how it may affect journalists--and by extension, the rest of us.

In emergencies, political or otherwise, one of the first acts of involved Net users is to become a citizen journalist, if only for the duration. Everyone who speaks online potentially shares some of the use cases of a threatened journalist. And the most at-risk journalists are canaries in the coal mine for grimly inevitable challenges that will face any successful Internet site.

So, how secure is Google+ for at-risk reporters? From Day 1, everything on Google+ is encrypted with https. That means that no one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations. Companies like Facebook which did not start out using https, struggle to implement it later. Some wealthy companies like Yahoo still haven't managed it, putting their webmail customers at constant risk of identity theft and surveillance.

What about leaked information about contacts, accidentally revealing who you talk and listen to? Like Twitter's "following" list, Google defaults to telling the entire world who is in your "circles" (its system for organizing your friends and who you are following).

That makes sense for Google: The company is still attracting members for the service, and wants you to hunt through your friends' lists for new colleagues to add. But that's not a good default when a reporter, say, reaches out to a controversial activist, or reveals close family members.

Still, Google+ has learned the lesson of the Buzz fiasco, which is not to arbitrarily and automatically throw who Google thinks are your friends into this list. Even better, Google lets you select who appears in your public circle list. So a journalist can list all his or her public contacts, yet still reserve some for private connections. Boundaries like this will take some tending, and are prone to accidental revelation, but at least you are not obliged to keep everything either private or public, a profound limitation for public writers involved in highly confidential conversations.

A topic that we've covered before is the use of pseudonyms on social networks. Facebook has a strict "real names" policy, which has had consequences in countries like pre-revolution Egypt, where large publicity-generating groups were removed because their owners wished to be anonymous, and for authors like Chinese writer Michael Anti, who prefer to use their well-known pen name over their real name. (Anti, by the way, has joined Google+.)

The rule for Google+ is subtly different: You should go by the name that you're usually known as, and that you should not impersonate others. We'll see how this plays out in practice. One possibility these rules could support is that users may have more than one Google+ account--a strategy Syrian activists have pursued on Facebook, despite this being against the terms of service.

One boon for journalists isn't actually part of Google+, though it works closely with it. Google Takeout is the company's universal way for customers to extract for their own use all of the data the company keeps on them; it was rolled out for all Google services on the same day as the G+ test launch.

Google Takeout offers an opportunity to mitigate against the most drastic actions of Google itself. Like Facebook, Microsoft, Yahoo and other hosting services, Google will often decide to take down content it deems too controversial for their service. Putting aside whether these companies are right to remove photographs, groups, or news organizations, the more practical question is what journalists can do if their work is taken down. Or, for that matter, what journalists can do if they decide to move the material themselves.

If your web hosting provider throws you off their computers, you want to at least take your data and set up your Internet stall elsewhere. In social networking environments like Facebook or Flickr, it's far less easy. As Michael Anti and Hossam el-Hamalawy discovered, if you leave, it can be very hard to get your content or contacts out of your former host.

Coded by the company's so-called "Data Liberation Front," Takeout is a tool that lets you download all your data into a format that you might carry to another service. (Facebook has an export tool, too, but it won't allow you to obtain your contact's email addresses, thus reducing its usefulness outside of Facebook itself.)

It's too early to say whether Google Takeout will have more than a hypothetical benefit. Its usefulness depends on other services offering the capability to import the data that Google spits out.

Of course, it's too early to tell anything about Google+. Will it be successful enough to be considered a journalist's tool? Will it stumble like Google Wave and Buzz? Will it change the world, or remain a geeky backwater?

It looks like Google has considered some of CPJ's use cases when building Google+, and has strong incentives to fix any other issues before they become a bigger problem. (The company is a member of the Global Network Initiative and also paid $8.5 million in a class action settlement over Buzz's privacy violations.)

With this launch, Google is clearly thinking big. And when a company thinks big for its products, it should also think about the ethical and privacy ramifications of thinking big. People's livelihoods, the openness of their societies, and even their lives may depend on it.

Like this article? Support our work

Comments

Michael Cervieri wrote a critique ( http://futurejournalismproject.org/post/7160823169/cpj-google-and-security, or click my name above) of this post that raise some excellent points, so I should clarify a little here.

Firstly, I don't want anyone to come away from this blog entry thinking that Google+ is a "great platform for journalists and activists", as Michael says I'm implying.

As I've said about Facebook in the past, and am happy to repeat for Google+, I am uncomfortable recommending any social sites as a repository for such either public or private communication. If you're truly concerned with the security of your private communications, and the stability of your public presence, you want to maintain a high level of control. Using a centralised, consumer social network places much of that control in a company that does not necessarily as high a value you want on your partcular level of privacy or security.

Then again, people *do* use Facebook and other centralized services for journalism and activism, so when a new platform comes along, I think it's fair to appraise its weaknesses and strengths relative to the alternatives, especially with regard to the specific needs of journalists in dangerous situations.

Google+'s relative benefits are that it is built with TLS (http) across the board, it has a potentially better terms of service when dealing with pseudonymity, and a slightly better exit route should your content be taken down. Those are all improvements, and I hope it puts pressure on other social networks to rise to the same level.

I think Michael's main worry, though, is when I say:

"So, how secure is Google+ for at-risk reporters? From Day 1, everything on Google+ is encrypted with https. That means that no one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations."

I know what he means when he says that "simply isn't the case", and he highlights what this statement omits. I would rephrase it as "That means a maliciously motivated government with control of your local ISP can't as easily intercept your private conversations as they pass over the ISP."

It's always tricky to simplify security issues, and the risk is always that you'll end up exaggerating toward either glibness or paranoia. But at the same time, I don't think one should understate the benefits of built-in SSL for those whose threat model includes attackers with control of the local Internet infrastructure.

Michael raises the issue of man-in-the-middle attacks, and implies himself that these are as straightforward without https as with. I don't agree with that simplification either. It should be said that a man-in-the-middle attack with SSL requires obtaining a legitimate signed certificate, which requires a level of sophistication beyond simple listening in on the wire.

A level of sophistication that states are rapidly gaining, I should add, as my piece on thosr threats at Slate ( http://www.slate.com/id/2265204/ ) and our coverage of the recent attempted certificate authority attacks in Syria show. SSL certainly isn't a panacea, but it's a step in the right direction. You'll be amazed at how many services don't use it even for basic security. For instance, Michael's own service, Tumblr, doesn't even encrypt its login page, meaning its users accounts and passwords are trivially discoverable by a man-in-the-middle, or even just a bystander in a cafe.

Michael's absolutely right that these systems are prone to hacking attacks at Google's server centers, and malware targetted at the client machine. But the risk analysis of both of these threats doesn't change if we're comparing Google+ to Facebook or other social networks (well, it may, but analysing the relative security practices of large Net firms is difficult. Suffice to say that they all have equally high incentives to protect the integrity of their data, even if those practices vary).

I think the key point to repeat here is that Michael reads this as an absolute recommendation of Google+, which I didn't intend it to be, and I apologize for the clumsiness of my language if that's what it came across as. Rather, it's a description of any relative improvements (and new risks) that Google+ has over other comparable systems for the unique use case of journalists at risk.

It's also not the end of the story. Security doesn't just come from abstract estimations of certain features, but from history and experience. I'm sure that we'll discover many flaws in Google+ (one I left out for space, for instance, was its strange insistence on making public your gender online, which given recent CPJ concerns, is a clear issue). What's important is we document -- accurately -- these benefits and flaws in widely-used software, not just for the average user, but for those who face particular and uniquely dangerous online attackers.

Thanks to Michael for keeping me honest and precise.

Thanks for such and important and thoughtful story.

Google exec Wael Ghonim as a prism for the Arab Spring has clearly allowed a focus on the need for security, whether it's people in the street with a smartphone, or citizen and professional journalists.

It's life and death for many of us and Google+ is likely to become the platform of choice for those of us who flood twitter with our updates today.

There may be room in the Sparks module for news curators to find workflow efficiencies and a fuller integration with other platforms.

I'm still exploring Google+ and am listed to test the business version.

We activists and advocates may have found our tool for the future.

Thanks
tony serve

Unfortunately, Google just announced a rule change regarding pseudonyms on Google+.

Not allowed.

https://plus.google.com/109179785755319022525/posts/YcvRKqJeiZi